CVE-2021-1997

Name of the Vulnerable Software and Affected Versions Oracle Hospitality Reporting and Analytics version 9.1.0

Description The issue is related to insufficient access control in the Report component of Oracle Hospitality Reporting and Analytics. This can be exploited by a remote attacker with low privileges via the HTTP protocol to gain unauthorized access to modify, add, or delete data, or to access protected information. Successful attacks can result in unauthorized creation, deletion, or modification of critical data, as well as complete access to all accessible data.

Recommendations For version 9.1.0, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the Report component to minimize the risk of exploitation. Additionally, restrict network access via HTTP to the Oracle Hospitality Reporting and Analytics product to reduce the attack surface.