A vulnerability in the authorization component of Oracle Public Sector Financials (International) allows an attacker who is not privileged but has network access to HTTP endpoints to compromise the application. The flaw can lead to complete takeover of the system, resulting in loss of confidentiality, integrity, and availability of the financial data it manages. This remains a serious issue, classified as high severity with a CVSS score of 8.8, and would grant the attacker full control over the application once exploited.

The affected product is Oracle Public Sector Financials (International), part of Oracle E‑Business Suite. Versions from 12.2.3 through 12.2.15 are impacted.

The CVSS vector indicates network access (AV:N), low attack complexity (AC:L), low privilege (PR:L), no user interaction (UI:N), and unresolved scope, with high impact on confidentiality, integrity, and availability. The EPSS score is under 1 %, indicating very low exploitation probability as of the time of this analysis, and the flaw is not yet listed in CISA’s KEV catalog. Nonetheless, because the vulnerability permits a full takeover, it should be treated as critical and prioritized for remediation. Attackers with simple HTTP access can exploit the flaw without elevated privileges, meaning the risk is significant even for moderately exposed environments.