Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
HTTP-reachable EBS module exploitable by any authenticated low-privileged user (AV:N/AC:L/PR:L/UI:N); full read/write to CtO data gives C:H/I:H, no availability impact stated so A:N.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Configure to Order product of Oracle E-Business Suite (component: Supply to Order Workbench). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configure to Order. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configure to Order accessible data as well as unauthorized access to critical data or complete access to all Oracle Configure to Order accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
Authenticated data tampering and disclosure in Oracle Configure to Order (Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged attacker with network access via HTTP to fully read, modify, create, or delete all data accessible to the Supply to Order Workbench component. Oracle rates the issue CVSS 8.1 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have network HTTP/HTTPS reachability to an Oracle E-Business Suite 12.2.3-12.2.15 instance that has the Oracle Configure to Order module deployed with the Supply to Order Workbench component active, and must hold a low-privileged authenticated EBS session (PR:L per Oracle's CVSS vector), but no user interaction, no elevated role, and no scope change are required. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) describes a network-reachable, low-complexity attack requiring only a low-privileged EBS account and no user interaction, with high confidentiality and integrity impact but no availability impact - a strong signal for prioritization wherever EBS self-service or vendor/customer portal accounts exist. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained any low-privileged Oracle E-Business Suite account - for example through phishing of an internal user, reuse of a leaked supplier-portal credential, or a self-registered account on an exposed instance - authenticates to the EBS HTTP front end and issues crafted requests against the Supply to Order Workbench. Because the flaw is network-reachable with low attack complexity and no user interaction, a single HTTP transaction can read or alter supply-order data well outside the attacker's intended scope, enabling fraud such as redirecting supply against orders or exfiltrating sensitive customer and pricing data. … |
| Remediation | Apply the Oracle Critical Patch Update fixes referenced in the June 2026 Critical Security Patch Update advisory at https://www.oracle.com/security-alerts/cspujun2026.html for each EBS 12.2.x release between 12.2.3 and 12.2.15; Oracle delivers these as patchset bundles tracked per EBS version, and exact patch numbers should be pulled from My Oracle Support based on the running 12.2.x level. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running Oracle E-Business Suite versions 12.2.3 through 12.2.15 with Configure to Order/Supply to Order Workbench enabled; enumerate user accounts with access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37254