CVE-2019-2861

MEDIUM

Oracle Hyperion Planning 11.1.2.4 - XML External Entity Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-2861. PoCs published by Lucas Dinucci.

AI-analyzed exploit summary This exploit demonstrates an XXE injection vulnerability in Oracle Hyperion Enterprise Performance Management System 11.1.2.3. It allows an authenticated attacker to disclose internal files, perform internal port scanning, or achieve remote code execution via crafted XML payloads.

Description

Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N).

Exploits (1)

exploitdb WORKING POC VERIFIED

by Lucas Dinucci · textwebappsmultiple

https://www.exploit-db.com/exploits/47196

View Code ZIP pw:eip

This exploit demonstrates an XXE injection vulnerability in Oracle Hyperion Enterprise Performance Management System 11.1.2.3. It allows an authenticated attacker to disclose internal files, perform internal port scanning, or achieve remote code execution via crafted XML payloads.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Oracle Hyperion Enterprise Performance Management System 11.1.2.3

Auth required

Prerequisites: Authenticated access to the target application · Network access to the target server · Ability to host a malicious DTD file on an external server

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Patch, Vendor Advisory x_refsource_misc

http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html

Scores

CVSS v3 4.2

EPSS 0.0431

EPSS Percentile 89.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

oracle/hyperion_planning 11.1.2.4

Published Jul 23, 2019

Tracked Since Feb 18, 2026