Vulnerability in Oracle iProcurement of Oracle E-Business Suite
CVE-2023-21973

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: Iprocurement
Vendor: CVE Published:; 18 April 2023

Summary

A vulnerability exists in Oracle iProcurement within the Oracle E-Business Suite's E-Content Manager Catalog component. This flaw allows a low-privileged attacker with network access via HTTP to compromise the system. Although reliance on human interaction from an external party is required for exploitation, successful attacks can lead to unauthorized updates, insertions, or deletions of data within Oracle iProcurement. Furthermore, attackers may gain unauthorized read access to certain datasets. The potential for these attacks could extend beyond just Oracle iProcurement, affecting other products and increasing the breadth of the attack's impact.

Affected Version(s)

iProcurement 12.2.3-12.2.12

References

https://www.oracle.com/security-alerts/cpuapr2023.html

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 18, 2023
Vulnerability Reserved
Dec 17, 2022