Impact
A flaw in Oracle Project Portfolio Analysis permits a low‑privileged attacker with network access via HTTP to gain full control of the application. The weakness involves inadequate authentication and privilege management, enabling remote code execution and compromising the confidentiality, integrity, and availability of the data handled by the application. The CVSS 3.1 vector indicates network reachability, low attack complexity, low privileges, no user interaction and a base score of 8.8.
Affected Systems
Oracle Project Portfolio Analysis in the Oracle E‑Business Suite is affected. Versions 12.2.3 through 12.2.15 are listed as vulnerable. The application runs in the internal operations component and can be reached over HTTP from the network.
Risk and Exploitability
The high CVSS base score signals severe impact, yet the EPSS value of less than 1% indicates a very low chance of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. An attacker only needs HTTP connectivity to the target instance and can take over the application, potentially exposing or altering corporate data, with no user interaction required.
OpenCVE Enrichment