CVE-2020-14536

Name of the Vulnerable Software and Affected Versions: Oracle Commerce Guided Search / Oracle Commerce Experience Manager versions prior to 11.3.1

Description: The issue allows an unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Guided Search / Oracle Commerce Experience Manager. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all accessible data, as well as unauthorized access to critical data or complete access to all accessible data. The vulnerability exists due to insufficient input validation in the Workbench component of the Oracle Commerce Guided Search and Oracle Commerce Experience Manager.

Recommendations: For versions prior to 11.3.1, update to version 11.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Workbench component to minimize the risk of exploitation. Avoid using the HTTP protocol for sensitive operations until the issue is resolved. At the moment, there is no information about additional mitigation measures.