EUVD-2026-37386Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Network-reachable HTTPS portal (AV:N/AC:L), requires a low-privileged supplier account (PR:L) and interaction from a second user (UI:R), and Oracle states takeover yielding full C/I/A impact with no scope change.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iSupplier Portal product of Oracle E-Business Suite (component: Home Page). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle iSupplier Portal. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle iSupplier Portal. CVSS 3.1 Base Score 8.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle iSupplier Portal (E-Business Suite versions 12.2.3-12.2.15) allows a low-privileged remote attacker to fully compromise the application by tricking a separate user into interacting with attacker-supplied content over HTTPS. The Home Page component is the entry point, and successful exploitation yields full confidentiality, integrity, and availability impact on the portal. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must already hold a low-privileged authenticated account on the iSupplier Portal (PR:L) and reach the Home Page component over HTTPS on Oracle E-Business Suite 12.2.3-12.2.15; the iSupplier Portal module must be deployed and enabled (it is optional within EBS). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, base 8.0) reflects a network-reachable, low-complexity flaw that only requires a registered low-privilege supplier account plus interaction from a second user - a realistic precondition in any production EBS deployment that onboards external suppliers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a low-privileged supplier account, then plants malicious content (likely script or crafted markup) in a field rendered on the iSupplier Home Page. When an internal buyer, approver, or administrator opens the page in their authenticated browser session, the payload executes in their context and is used to hijack the session or perform privileged actions, resulting in full takeover of the iSupplier Portal. … |
| Remediation | Apply the fixes from Oracle's June 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspujun2026.html, which is the only vendor-released remediation for iSupplier Portal 12.2.3-12.2.15 (patch available per vendor advisory; no standalone fix version was published in the CVE record itself). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all E-Business Suite instances running affected versions 12.2.3-12.2.15; review iSupplier Portal access logs for unusual authentication activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Share
External POC / Exploit Code
Leaving vuln.today