CVE-2015-4851

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.0.6 through 12.2.4

Description The issue is related to errors in the code of the Oracle iSupplier Portal component. It may allow a remote attacker to access the Oracle iSupplier Portal or execute arbitrary code. The vulnerability is reportedly related to XML input and may be an XML External Entity (XXE) vulnerability, which could enable remote attackers to read arbitrary files, cause a denial of service, or conduct SMB Relay attacks via a crafted DTD in an XML request to "OA HTML/oramipp lpr".

Recommendations For versions 12.0.6 through 12.2.4, consider restricting access to the Oracle iSupplier Portal component until a patch is available. As a temporary workaround, avoid using XML input in the affected component to minimize the risk of exploitation.