CVE-2013-7285

CRITICAL NUCLEI

Oracle Endeca Information Discovery Studio - Remote Code Execution via XStream Input Stream Manipulation

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-7285. PoCs published by Brian D. Hysell, shoucheng3. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages CVE-2013-7285 in OpenMRS Reporting Module 0.9.7, where untrusted XML input is passed to a vulnerable XStream library, enabling unauthenticated remote code execution via a crafted GET request. The PoC demonstrates command execution (e.g., calc.exe) by exploiting a hardcoded UUID from the Appointment Scheduling UI module.

Description

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Exploits (2)

exploitdb WORKING POC
by Brian D. Hysell · textwebappsjava
https://www.exploit-db.com/exploits/39193

This exploit leverages CVE-2013-7285 in OpenMRS Reporting Module 0.9.7, where untrusted XML input is passed to a vulnerable XStream library, enabling unauthenticated remote code execution via a crafted GET request. The PoC demonstrates command execution (e.g., calc.exe) by exploiting a hardcoded UUID from the Appointment Scheduling UI module.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: OpenMRS Standalone 2.3, OpenMRS Platform 1.11.4 with Reporting 0.9.7 and Appointment Scheduling UI 1.0.3
No auth needed
Prerequisites: OpenMRS with vulnerable Reporting and Appointment Scheduling UI modules installed · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec STUB
by shoucheng3 · poc
https://github.com/shoucheng3/x-stream__xstream_CVE-2013-7285_1-4-6

The repository contains benchmarking code for XStream but lacks any exploit PoC for CVE-2013-7285. No offensive techniques or vulnerability demonstrations are present.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: XStream (version not specified in provided files)
No auth needed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

XStream <1.4.6/1.4.10 - Remote Code Execution
CRITICALby pwnhxl,vicrack

References (9)

Core 9
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q1/69
Third Party Advisory mailing-list x_refsource_mlist
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00604.html
Third Party Advisory mailing-list x_refsource_mlist
https://www.mail-archive.com/user%40xstream.codehaus.org/msg00607.html
Broken Link, Not Applicable, URL Repurposed x_refsource_misc
http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
Exploit, Third Party Advisory x_refsource_confirm
https://x-stream.github.io/CVE-2013-7285.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html

Scores

CVSS v3 9.8
EPSS 0.1877
EPSS Percentile 95.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (5)
apache/activemq 5.15.8
com.thoughtworks.xstream/xstream 0 - 1.4.7Maven
oracle/endeca_information_discovery_studio 3.2.0
xstream/xstream 1.4.10
xstream/xstream < 1.4.6
Published May 15, 2019
Tracked Since Feb 18, 2026