Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
HTTP-reachable and unauthenticated (AV:N, PR:N) but needs a second user to interact (UI:R) and specific conditions (AC:H); successful attack fully takes over the HR module (C/I/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Human Resources. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).
AnalysisAI
Takeover of Oracle Human Resources in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible when a remote unauthenticated attacker tricks a separate user into interacting with a crafted HTTP request targeting the Person component. Despite high attack complexity, successful exploitation yields full confidentiality, integrity, and availability impact on the HR module. No public exploit identified at time of analysis.
Technical ContextAI
The flaw resides in the Person component of the Oracle Human Resources product, an HCM module within Oracle E-Business Suite (CPE cpe:2.3:a:oracle_corporation:oracle_human_resources). E-Business Suite is a large web-based ERP platform delivered over HTTP via Oracle Application Server/WebLogic, and the Person subcomponent manages employee identity and demographic records. No CWE is assigned by Oracle, but the combination of remote HTTP delivery, required user interaction by a separate user, and full CIA compromise of the module is consistent with a client-assisted server-side flaw such as stored XSS leading to session/privilege abuse or a CSRF-style request-forgery chain against an authenticated HR operator.
RemediationAI
Patch available per vendor advisory: apply the fixes bundled in Oracle's June 2026 Critical Patch Update for E-Business Suite as detailed at https://www.oracle.com/security-alerts/cspujun2026.html, which covers all listed 12.2.3-12.2.15 releases. Until the CPU can be applied, restrict network reach to the EBS HR Person pages by placing the application behind VPN or an authenticated reverse proxy and blocking direct internet exposure (trade-off: external self-service HR flows break), enforce strict same-site cookies and Referer checks at the load balancer to blunt cross-user request-forgery style chains, and instruct HR operators to avoid clicking untrusted links while authenticated to EBS (trade-off: training-dependent, not a technical control). Do not skip the CPU - Oracle does not publish standalone hotfixes for E-Business Suite.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37266