Issue detail
The
username
parameter appears to be vulnerable to SQL injection attacks. The payload
'||(select extractvalue(xmltype('%tuxjp;]>'),'/l') from dual)||'
was submitted in the username parameter. This payload injects a SQL sub-query that calls Oracle's xmltype function to evaluate some data as XML. The supplied XML defines an external entity that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.