Oracle Commerce Platform Vulnerability Exposes Data Due to Authentication Flaws
CVE-2025-21576

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: Oracle Commerce Platform
Vendor: CVE Published:; 15 April 2025

What is CVE-2025-21576?

A vulnerability in Oracle Commerce Platform's Dynamo Personalization Server allows low-privileged attackers with network access via HTTP to exploit the application. This flaw requires human interaction for successful exploitation and impacts data confidentiality and integrity, enabling unauthorized updates, inserts, or deletions. Additionally, it allows unauthorized read access to sensitive data. The scope of potential attacks extends beyond the Oracle Commerce product, affecting various interconnected systems.

Affected Version(s)

Oracle Commerce Platform 11.3.0

Oracle Commerce Platform 11.3.1

Oracle Commerce Platform 11.3.2

References

https://www.oracle.com/security-alerts/cpuapr2025.html

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Apr 15, 2025
Vulnerability Reserved
Dec 24, 2024