Impact
A flaw in Oracle Complex Maintenance, Repair and Overhaul allows a low‑privileged attacker with network access over HTTP to completely take control of the application, violating confidentiality, integrity, and availability and providing a pathway to full system takeover. The weakness stems from improper access control, privilege escalation, and missing authentication for critical functions (CWE‑284, CWE‑269, CWE‑306).
Affected Systems
Oracle Complex Maintenance, Repair and Overhaul, part of Oracle E‑Business Suite. Versions from 12.2.3 up to and including 12.2.15 are affected, with the vulnerability tied to the internal operations component.
Risk and Exploitability
The CVSS 3.1 base score of 7.5 denotes high severity, while an EPSS score of less than 1% indicates that real‑world exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog, yet remote exploitation requires only low privilege and HTTP access, making it a high‑risk vector for environments with exposed web interfaces.
OpenCVE Enrichment