Tuan Anh Nguyen

**Name of the Vulnerable Software and Affected Versions** Oracle Agile Product Lifecycle Management for Process versions prior to 6.2.4.2 **Description** The issue is related to insufficient input validation in the Installation component of the Oracle Agile Product Lifecycle Management for Process product. This can allow an attacker to compromise the confidentiality, integrity, and availability of protected information. Successful attacks can result in unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data and the ability to cause a partial denial of service. **Recommendations** For versions prior to 6.2.4.2, update to version 6.2.4.2 or later to resolve the issue. As a temporary workaround, consider restricting network access via HTTP to the Installation component until a patch is applied. Additionally, monitor the system for any suspicious activity and apply any available configuration changes or workarounds to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.8 **Description** The issue is related to insufficient input validation in the Miscellaneous component of Oracle Scripting, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks can result in the takeover of Oracle Scripting, impacting confidentiality, integrity, and availability. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.8, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the HTTP endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle Business Intelligence Enterprise Edition versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0 **Description** The issue is due to insufficient input validation in the Analytics Web General component. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data, as well as unauthorized update, insert, or delete access to some of the data. **Recommendations** For versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, and 12.2.1.4.0, consider restricting access to the Analytics Web General component until a patch is available. As a temporary workaround, limit the use of HTTP requests to minimize the risk of exploitation. Avoid using the vulnerable component for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 Description: The vulnerability in the Oracle Trade Management product of Oracle E-Business Suite is related to insufficient input validation in the User Interface component. This issue can be exploited by an unauthenticated attacker with network access via HTTP, allowing them to compromise Oracle Trade Management. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all Oracle Trade Management accessible data, as well as unauthorized access to critical data or complete access to all Oracle Trade Management accessible data. Recommendations: For Oracle E-Business Suite versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For Oracle E-Business Suite versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the User Interface component until a patch is available. Avoid using the HTTP protocol to access Oracle Trade Management until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Universal Work Queue version 12.1.3 **Description** The issue is related to insufficient input validation in the Work Provider Administration component of the Oracle Universal Work Queue application. This can be exploited by a remote attacker to gain unauthorized access to sensitive information, execute arbitrary code, or cause a denial of service. **Recommendations** For version 12.1.3, update to a newer version that includes a fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Work Provider Administration component to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Oracle Universal Work Queue versions 12.2.3 through 12.2.9 Description: The issue is related to insufficient input validation in the Internal Operations component of Oracle Universal Work Queue, part of the Oracle E-Business Suite. This can be exploited by a remote attacker using the HTTP protocol to gain full control over the application. The vulnerability can be easily exploited by a low-privileged attacker with network access, potentially leading to a takeover of Oracle Universal Work Queue. Recommendations: For versions 12.2.3 through 12.2.9, update to a version that includes the fix for this issue to prevent exploitation. As a temporary workaround, consider restricting access to the Internal Operations component until a patch is available. Avoid using the HTTP protocol to access the Oracle Universal Work Queue until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.10 Description: The issue is related to insufficient input validation in the Marketing Administration component of Oracle Marketing, part of the Oracle E-Business Suite system. This can be exploited by a remote attacker to gain unauthorized access to protected information or to modify, add, or delete data using the HTTP protocol. Successful attacks can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data. Recommendations: For Oracle E-Business Suite versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For Oracle E-Business Suite versions 12.2.3 through 12.2.10, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the Marketing Administration component until a patch is available. Avoid using the HTTP protocol for sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle CRM Gateway for Mobile Devices versions 12.1.1 through 12.1.3 **Description** The issue is related to insufficient input validation in the Setup of Mobile Applications component. This can be exploited by a remote attacker to gain unauthorized access to protected information or to modify, add, or delete data using the HTTP protocol. The vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle CRM Gateway for Mobile Devices, potentially resulting in unauthorized creation, deletion, or modification of critical data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to insufficient input validation in the Setup of Mobile Applications component of the Oracle CRM Gateway for Mobile Devices product. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise the Oracle CRM Gateway for Mobile Devices. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all accessible data, as well as unauthorized access to critical data or complete access to all accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.3 and 12.2.3 through 12.2.9 **Description** The issue is related to insufficient access control in the Preferences component of Oracle CRM Technical Foundation, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized read access to a subset of Oracle CRM Technical Foundation accessible data. **Recommendations** For versions 12.1.3 and 12.2.3 through 12.2.9, update to a version that includes the fix for this issue to prevent unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Intelligence versions 12.1.1 through 12.1.3 **Description** The issue is related to inadequate access control in the DBI Setups component of Oracle E-Business Intelligence, part of the Oracle E-Business Suite. This allows a remote attacker to gain unauthorized access to sensitive information or modify, add, or delete data using the HTTP protocol. Successful attacks require some interaction from someone other than the attacker and can significantly impact additional products, leading to unauthorized access to critical data or complete access to all accessible data within Oracle E-Business Intelligence. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the DBI Setups component until a fix is available, and ensure that all interactions with the Oracle E-Business Intelligence system are closely monitored to prevent unauthorized data modifications. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle iSupport versions 12.1.1 through 12.1.3 Oracle iSupport versions 12.2.3 through 12.2.8 **Description** The issue is related to inadequate access control in the User Interface component of Oracle iSupport, allowing a remote attacker to modify, add, or delete data using the HTTP protocol. The vulnerability can be exploited by an unauthenticated attacker with network access, but successful attacks require human interaction from someone other than the attacker. This issue may have a significant impact on additional products and can result in unauthorized access to modify, insert, or delete some of Oracle iSupport's accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version outside of this range to mitigate the risk. For versions 12.2.3 through 12.2.8, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the User Interface component until a patch is available. Restrict access to the HTTP protocol to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to inadequate access control in the Administration component of the Oracle Marketing Encyclopedia System. It allows an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data, complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the Administration component until a fix is available. As a temporary workaround, limit the use of HTTP protocol for sensitive operations. Additionally, ensure that all users are aware of the potential for social engineering attacks that may be used in conjunction with this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Knowledge versions 8.6.0 through 8.6.3 **Description** The issue is related to insufficient input validation in the Information Manager Console component of Oracle Knowledge, allowing a remote attacker to cause a denial of service via the HTTP protocol. This can result in the unauthorized ability to cause the system to hang or crash repeatedly, leading to a complete denial of service. **Recommendations** For versions 8.6.0 through 8.6.3, update to a version that includes the fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to inadequate access control in the Oracle Scripting component of Oracle E-Business Suite. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle Scripting, potentially leading to unauthorized access to critical data or complete access to all Oracle Scripting accessible data. The attacker may also gain unauthorized update, insert, or delete access to some of Oracle Scripting's accessible data. Successful attacks require human interaction from a person other than the attacker. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the Oracle Scripting component via HTTP to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of sensitive data within Oracle Scripting to reduce the potential impact of unauthorized access. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Intelligence versions 12.1.1 through 12.1.3 **Description** The issue is related to inadequate access control in the DBI Setups component of Oracle E-Business Intelligence, part of the Oracle E-Business Suite. This can be exploited by a remote attacker to gain unauthorized access to sensitive information or to modify, add, or delete data using the HTTP protocol. Successful attacks may require interaction from someone other than the attacker and can significantly impact additional products, potentially leading to unauthorized access to critical data or complete access to all accessible data within Oracle E-Business Intelligence. **Recommendations** For versions 12.1.1 through 12.1.3, update to a version that includes the fix for this issue to prevent unauthorized access and data modification. As a temporary workaround, consider restricting access to the DBI Setups component until a patch is available. Avoid using the HTTP protocol for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to inadequate access control in the Oracle iSupport product, specifically in the Profile component. It allows an unauthenticated attacker with network access via HTTP to compromise Oracle iSupport, potentially leading to unauthorized access to critical data or complete access to all Oracle iSupport accessible data. The attack requires human interaction from a person other than the attacker and may significantly impact additional products. Successful exploitation can result in unauthorized update, insert, or delete access to some of Oracle iSupport accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the Profile component until a patch is available. As a temporary workaround, limit the use of HTTP protocol for Oracle iSupport to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Financial Services Asset Liability Management versions 8.0.6 through 8.0.7 **Description** The issue is related to the lack of protection for service data in the User Interface component of Oracle Financial Services Asset Liability Management. It allows a low-privileged attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For versions 8.0.6 and 8.0.7, update to a version that includes the fix for this issue to prevent unauthorized access and data modification. As a temporary workaround, consider restricting access to the User Interface component until a patch is available. Avoid using the HTTP protocol for sensitive operations until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Oracle Financial Services Hedge Management and IFRS Valuations versions 8.0.6 through 8.0.8 **Description** The issue is related to the lack of protection for service data in the User Interface component of Oracle Financial Services Hedge Management and IFRS Valuations. This allows a low-privileged attacker with network access via HTTP to compromise the system. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data, as well as unauthorized read access to a subset of accessible data. **Recommendations** For versions 8.0.6 through 8.0.8, consider restricting access to the User Interface component until a patch is available. As a temporary workaround, limit the use of HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.1.1 through 12.1.3 **Description** The issue is related to inadequate access controls in the Estimate and Actual Charges component of Oracle Depot Repair, allowing an unauthenticated attacker with network access via HTTP to compromise the system. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. This can result in unauthorized access to critical data, complete access to all accessible data, as well as unauthorized update, insert, or delete access to some accessible data. **Recommendations** For versions 12.1.1 through 12.1.3, consider restricting access to the Estimate and Actual Charges component until a fix is available. As a temporary workaround, limit the use of HTTP protocol for accessing Oracle Depot Repair to minimize the risk of exploitation. Additionally, ensure that all users are aware of the potential for social engineering attacks that may be used in conjunction with this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.