CVE-2015-4854

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.0.6 through 12.2.4

Description The issue is related to the Oracle Application Object Library component and affects data integrity. It may be related to Single Signon and potentially allows remote attackers to inject arbitrary web script or HTML, although the exact nature of the vulnerability is not confirmed by Oracle. The exploitation could be related to unknown vectors and may involve the Domain parameter in the CfgOCIReturn servlet. There are claims that this issue could be a cross-site scripting (XSS) vulnerability.

Recommendations For versions 12.0.6 through 12.2.4, consider restricting access to the Single Signon feature and the CfgOCIReturn servlet to minimize the risk of exploitation. As a temporary workaround, avoid using the Domain parameter in the affected servlet until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.