Description
Vulnerability in the Oracle Configure to Order product of Oracle E-Business Suite (component: Supply to Order Workbench). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configure to Order. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configure to Order accessible data as well as unauthorized access to critical data or complete access to all Oracle Configure to Order accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An accessible vulnerability in Oracle Configure to Order allows an attacker with low privileges and network access via HTTP to create, delete, or modify critical data. The flaw provides unrestricted authorization to perform privileged operations, leading to unauthorized manipulation of all Oracle Configure to Order accessible data and exposure of confidential information. The CVSS 3.1 severity of 8.1 reflects significant confidentiality and integrity impacts.

Affected Systems

The vulnerability affects Oracle Configure to Order, part of Oracle E‑Business Suite’s Supply to Order Workbench, for versions 12.2.3 through 12.2.15. These versions are explicitly listed as affected in the security alert and product data.

Risk and Exploitability

The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild, yet the CVSS score signals a high potential impact if an attacker succeeds. The attack vector requires network reachability to the Configure to Order HTTP interface and only a low level of privilege to launch the exploit. The provided information does not indicate any documented public exploitation, and the vulnerability is not listed in CISA’s KEV catalog, but the ability to alter or delete critical data makes it a highly valuable target for privileged internal actors or remote attackers with network access.

Generated by OpenCVE AI on June 17, 2026 at 22:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available Oracle security patch for Configure to Order.
  • Restrict HTTP access to Configure to Order by limiting connections to trusted IP ranges or implementing a VPN or firewall rule set.
  • Configure application‑level access controls to enforce least‑privilege for all user accounts and monitor audit logs for unauthorized data modification attempts.

Generated by OpenCVE AI on June 17, 2026 at 22:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification in Oracle Configure to Order via HTTP
Weaknesses CWE-284

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Configure to Order product of Oracle E-Business Suite (component: Supply to Order Workbench). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configure to Order. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configure to Order accessible data as well as unauthorized access to critical data or complete access to all Oracle Configure to Order accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle configure To Order
CPEs cpe:2.3:a:oracle:configure_to_order:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle configure To Order
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Oracle Configure To Order
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T13:48:58.922Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46939

cve-icon Vulnrichment

Updated: 2026-06-18T13:47:41.909Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:55Z

Weaknesses