Impact
A flaw in Oracle WebCenter Sites (CWE-306: Missing Authentication) lets an unauthenticated attacker who can reach the application over HTTP gain full control of the system. The vulnerability enables an exploit that changes the scope, potentially affecting other applications or services running in the same environment. Successful exploitation results in the loss of confidentiality, integrity and availability of the WebCenter Sites deployment.
Affected Systems
Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 are affected, regardless of which environment they are running in.
Risk and Exploitability
The CVSS v3.1 base score of 10.0 reflects a complete compromise of all security properties. The EPSS score is below 1 %, indicating a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack can be carried out remotely via an open HTTP interface without authentication or privileges, presenting a high risk to organizations that expose WebCenter Sites to the network.
OpenCVE Enrichment