CVE-2019-2861

MEDIUM

Oracle Hyperion Planning - XXE

Title source: rule

Description

Vulnerability in the Oracle Hyperion Planning component of Oracle Hyperion (subcomponent: Security). The supported version that is affected is 11.1.2.4. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Planning. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Planning accessible data. CVSS 3.0 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N).

Exploits (1)

exploitdb WORKING POC VERIFIED

by Lucas Dinucci · textwebappsmultiple

https://www.exploit-db.com/exploits/47196

View Code ZIP pw:eip

References (2)

[Patch, Vendor Advisory] http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/153841/Oracle-Hyperion-Planning-11.1.2.3-XML-Injection.html

Scores

CVSS v3 4.2

EPSS 0.0265

EPSS Percentile 85.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

oracle/hyperion_planning 11.1.2.4

Published Jul 23, 2019

Tracked Since Feb 18, 2026