The vulnerability exists in the Self Service Manager component of Oracle Payroll within Oracle E‑Business Suite. An attacker who can reach the application over HTTP can exploit a flaw that allows a low‑privileged attacker to gain full control of the payroll system. Successful exploitation would lead to compromise of confidentiality, integrity, and availability of payroll data, potentially allowing arbitrary configuration changes, data export, or deletion. The CVSS v3.1 vector reflects that the flaw is exploitable from the network, requires low attack complexity and low privilege, and has no user interaction. The impact is complete takeover of the payroll module.

Oracle Corporation’s Oracle Payroll product, part of Oracle E‑Business Suite, versions 12.2.3 through 12.2.15 are affected. The Self Service Manager component is the impacted area. No other vendors or products are listed. Systems running any of those supported versions are at risk.

The CVSS base score of 8.8 classifies the issue as high severity. The exploit is network accessible and requires minimal effort; an attacker only needs HTTP access to the payroll console and does not need privileged credentials. The EPSS score of less than 1% indicates a very low likelihood of exploitation, and the vulnerability is not yet in the CISA KEV catalog. Nevertheless, the combination of high severity and easy network reachability suggests that any unsecured payroll installation is a valid target.