Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: iSurvey Module). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks of this vulnerability can result in takeover of Oracle Scripting. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability classified as CWE-306 (missing required authentication for critical function) allows an attacker to access sensitive system functions without providing any credentials. The attack is carried out over the network via HTTP protocol, requires no user interaction or special privileges. Due to the low attack complexity (AC:L), exploitation is simple and repeatable.
Successful attack leads to complete takeover of the Oracle Scripting component — the attacker gains full control over the confidentiality, integrity, and availability of the system, corresponding to a takeover scenario of the attacked instance.
Apply patches available from the vendor according to references — Oracle Critical Patch Update from April 2025 (https://www.oracle.com/security-alerts/cpuapr2025.html). Until the patch is implemented, it is recommended to restrict network access to the iSurvey Module through a firewall or network-level access control.
Oracle E-Business Suite, Oracle Scripting product, iSurvey Module component — versions 12.2.3 through 12.2.14 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOracle E Business Suite
APPOracle12.2.3 – 12.2.14
Related vulnerabilities
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component:...
Krytyczna podatność Auth Bypass w Oracle Payments (E-Business Suite)
Krytyczny Auth Bypass w Oracle Internet Procurement Connector (E-Business Suite)
Vulnerability in the Oracle One-to-One Fulfillment component of Oracle E-Business Suite (subcomponent: OCM Que...
Vulnerability in the Oracle Performance Management component of Oracle E-Business Suite (subcomponent: Perform...