Devin Rosenbauer

**Name of the Vulnerable Software and Affected Versions** Oracle Fusion Middleware Identity Manager version 11.1.2.3.0 **Description** The issue is related to insufficient input validation in the Request Management & Workflow component of Oracle Identity Manager, part of the Oracle Fusion Middleware platform. This allows an unauthenticated attacker with network access via HTTP to compromise Identity Manager, resulting in unauthorized read access to a subset of Identity Manager accessible data. **Recommendations** For version 11.1.2.3.0, consider restricting access to the Request Management & Workflow component until a patch is available. As a temporary workaround, limit the use of HTTP protocol for Identity Manager to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Identity Manager versions 11.1.2.3.0 through 12.2.1.3.0 **Description** The issue is related to inadequate access control in the Advanced Console component of Oracle Identity Manager. It can be exploited by a remote attacker to compromise the integrity of data or disclose protected information via the HTTP protocol. Successful attacks may result in unauthorized access to update, insert, or delete some Identity Manager data, as well as unauthorized read access to a subset of Identity Manager data. **Recommendations** For versions 11.1.2.3.0 and 12.2.1.3.0, consider restricting access to the Advanced Console component until a patch is available. As a temporary workaround, limit network access via HTTP to the Identity Manager to minimize the risk of exploitation.