Impact
An accessible vulnerability in Oracle Configure to Order allows an attacker with low privileges and network access via HTTP to create, delete, or modify critical data. The flaw provides unrestricted authorization to perform privileged operations, leading to unauthorized manipulation of all Oracle Configure to Order accessible data and exposure of confidential information. The CVSS 3.1 severity of 8.1 reflects significant confidentiality and integrity impacts.
Affected Systems
The vulnerability affects Oracle Configure to Order, part of Oracle E‑Business Suite’s Supply to Order Workbench, for versions 12.2.3 through 12.2.15. These versions are explicitly listed as affected in the security alert and product data.
Risk and Exploitability
The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild, yet the CVSS score signals a high potential impact if an attacker succeeds. The attack vector requires network reachability to the Configure to Order HTTP interface and only a low level of privilege to launch the exploit. The provided information does not indicate any documented public exploitation, and the vulnerability is not listed in CISA’s KEV catalog, but the ability to alter or delete critical data makes it a highly valuable target for privileged internal actors or remote attackers with network access.
OpenCVE Enrichment