CVE-2020-2597

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.1.1 through 12.1.3 Oracle E-Business Suite versions 12.2.3 through 12.2.9

Description The issue is related to inadequate access control in the Oracle One-to-One Fulfillment product, specifically in the Call Phone Number Page component. This allows an unauthenticated attacker with network access via HTTPS to compromise Oracle One-to-One Fulfillment. Successful attacks require human interaction from a person other than the attacker and may significantly impact additional products. The attacks can result in unauthorized update, insert, or delete access to some of Oracle One-to-One Fulfillment's accessible data.

Recommendations For versions 12.1.1 through 12.1.3, consider restricting access to the Call Phone Number Page component until a fix is available. For versions 12.2.3 through 12.2.9, consider implementing additional access control measures to mitigate the risk of exploitation. As a temporary workaround, consider disabling the Call Phone Number Page component until a patch is available.