CVE-2023-21973

Name of the Vulnerable Software and Affected Versions Oracle E-Business Suite versions 12.2.3 through 12.2.12

Description The issue is related to insufficient input validation in the E-Content Manager Catalog component. It allows a low-privileged attacker with network access via HTTP to compromise Oracle iProcurement, requiring human interaction from a person other than the attacker. Successful attacks can result in unauthorized update, insert, or delete access to some of Oracle iProcurement's accessible data, as well as unauthorized read access to a subset of Oracle iProcurement's accessible data.

Recommendations For versions 12.2.3 through 12.2.12, consider restricting access to the E-Content Manager Catalog component to minimize the risk of exploitation until a patch is available. As a temporary workaround, limit the use of HTTP connections to the Oracle iProcurement product. At the moment, there is no information about a newer version that contains a fix for this vulnerability.