6.8
CVSSv2

CVE-2014-6577

Published: 21/01/2015 Updated: 28/11/2016
CVSS v2 Base Score: 6.8 | Impact Score: 6.9 | Exploitability Score: 8
VMScore: 606
Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N

Vulnerability Summary

Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows malicious users to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

oracle database server 12.1.0.1

oracle database server 12.1.0.2

oracle database server 11.2.0.3

oracle database server 11.2.0.4

Vendor Advisories

<!-- content goes here --> Oracle Critical Patch Update Advisory - January 2015 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisor ...

Github Repositories

Automated Oracle CVE-2014-6577 exploitation via SQLi

oracle-xxe-sqli Automated Oracle CVE-2014-6577 exploitation via SQLi Usage: oracle-xxe-sqlipy [-h] [-i IP] [-p PORT] [--disable-server] [--custom-headers CUSTOM_HEADERS] [-f PAYLOAD_FILE] url Options positional arguments: url URL to inject Use * as the injection marker, just once optional arguments: -h, --help

信息收集 主机信息收集 敏感目录文件收集 目录爆破 字典 BurpSuite 搜索引擎语法 Google Hack DuckDuckgo 可搜索微博、人人网等屏蔽了主流搜索引擎的网站 Bing js文件泄漏后台或接口信息 快捷搜索第三方资源 findjs robotstxt 目录可访问( autoindex ) iis短文件名 IIS-ShortName-Scanner