Impact
The Oracle Enterprise Command Center Framework vulnerability enables a remote attacker who can reach the HTTP endpoints to create, delete, modify, or read critical data, as well as partially disrupt service. The flaw stems from improper privilege and access controls (CWE‑269 and CWE‑284), allowing the attacker to bypass authorization checks and manipulate sensitive information. The impact extends across confidentiality, integrity, and availability, potentially affecting the entire framework and related database tables.
Affected Systems
Oracle Enterprise Command Center Framework versions 15 and 16, part of Oracle E‑Business Suite, are affected. Any environment exposing these versions over HTTP is vulnerable, regardless of operating system or infrastructure.
Risk and Exploitability
The CVSS 3.1 base score of 9.9 reflects high severity, while the EPSS score of less than 1 % indicates a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via unauthenticated HTTP access, requiring no user interaction; this inference is based on the description’s mention of “network access via HTTP” and “low privileged attacker.” Successful exploitation can lead to unauthorized data manipulation, exposure, and partial denial of service, with a scope change that may affect additional Oracle products.
OpenCVE Enrichment