Oracle E Business Suite

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Oracle E Business Suite.

By the Year

In 2025 there have been 9 vulnerabilities in Oracle E Business Suite with an average score of 7.7 out of ten. Last year, in 2024 E Business Suite had 44 security vulnerabilities published. Right now, E Business Suite is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.92.

Year	Vulnerabilities	Average Score
2025	9	7.70
2024	44	6.78
2023	6	5.98
2022	2	8.65
2021	1	5.90
2020	0	0.00
2019	16	6.66
2018	12	5.63

It may take a day or so for new E Business Suite vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle E Business Suite Security Vulnerabilities

Oracle Scripting 12.2.312.2.14 Unauth HTTP Access (CVE202561753)
CVE-2025-61753 6.1 - Medium - October 21, 2025

Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Miscellaneous). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Scripting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Scripting accessible data as well as unauthorized read access to a subset of Oracle Scripting accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Open Redirect

Oracle EBS Marketing Admin: 12.2.3-12.2.14 Unauth RCE via HTTP
CVE-2025-53072 9.8 - Critical - October 21, 2025

Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Marketing Administration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this vulnerability can result in takeover of Oracle Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Missing Authentication for Critical Function

Oracle Concurrent Processing (BI Pub Int) 12.2.3-12.2.14 Remote Code Exec
CVE-2025-61882 9.8 - Critical - October 05, 2025

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

authentification

Oracle Apps Framework 12.2.3-12.2.14: Low Priv Exploitable via HTTP (Pers)
CVE-2025-50090 5.4 - Medium - July 15, 2025

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Oracle Configurator v12.2.3-12.2.14 Orders: unauthorized data access
CVE-2025-30720 6.1 - Medium - April 15, 2025

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Orders). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle EBS iSurvey Module RCE 12.2.3-12.2.14
CVE-2025-30727 9.8 - Critical - April 15, 2025

Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: iSurvey Module). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks of this vulnerability can result in takeover of Oracle Scripting. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle EBS OBX Telephony CVE-2025-21489: 12.2.3-12.2.10
CVE-2025-21489 6.1 - Medium - January 21, 2025

Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Region Mapping). Supported versions that are affected are 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data as well as unauthorized read access to a subset of Oracle Advanced Outbound Telephony accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle Project Foundation CVE-2025-21506 (12.2.312.2.13) Tech Foundation
CVE-2025-21506 8.1 - High - January 21, 2025

Vulnerability in the Oracle Project Foundation product of Oracle E-Business Suite (component: Technology Foundation). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Foundation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Project Foundation accessible data as well as unauthorized access to critical data or complete access to all Oracle Project Foundation accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle EBS Customer Care SR HTTP PrivEsc CVE-2025-21516 12.2.512.2.13
CVE-2025-21516 8.1 - High - January 21, 2025

Vulnerability in the Oracle Customer Care product of Oracle E-Business Suite (component: Service Requests). Supported versions that are affected are 12.2.5-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Customer Care. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Care accessible data as well as unauthorized access to critical data or complete access to all Oracle Customer Care accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle Field Service Engineer Portal 12.2.3-13 HTTP Data Tampering
CVE-2024-21271 8.1 - High - October 15, 2024

Vulnerability in the Oracle Field Service product of Oracle E-Business Suite (component: Field Service Engineer Portal). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle EBS 12.2.3-14: UI CVE-2024-21258 Allows Unauth Read Access
CVE-2024-21258 5.3 - Medium - October 15, 2024

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Oracle EBS Calendar Tasks: CVE-2024-21270 IDOR before 12.2.13
CVE-2024-21270 8.1 - High - October 15, 2024

Vulnerability in the Oracle Common Applications Calendar product of Oracle E-Business Suite (component: Tasks). Supported versions that are affected are 12.2.6-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Common Applications Calendar. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Common Applications Calendar accessible data as well as unauthorized access to critical data or complete access to all Oracle Common Applications Calendar accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle Incentive Compensation RCE via HTTP in 12.2.3-12.2.13 (CVE-2024-21269)
CVE-2024-21269 8.1 - High - October 15, 2024

Vulnerability in the Oracle Incentive Compensation product of Oracle E-Business Suite (component: Compensation Plan). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Incentive Compensation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Incentive Compensation accessible data as well as unauthorized access to critical data or complete access to all Oracle Incentive Compensation accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle Apps Manager 12.2.13- Diagnostics PrivEsc via HTTP
CVE-2024-21268 8.1 - High - October 15, 2024

Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Diagnostics). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Manager. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications Manager accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications Manager accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle Cost Mgmt 12.2.12-12.2.13 Auth Bypass via Cost Planning (CVE-2024-21267)
CVE-2024-21267 8.1 - High - October 15, 2024

Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.12-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Cost Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Cost Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle Advanced Pricing Price List CVE-2024-21266: 12.2.3-12.2.13
CVE-2024-21266 8.1 - High - October 15, 2024

Vulnerability in the Oracle Advanced Pricing product of Oracle E-Business Suite (component: Price List). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Pricing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Pricing accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Pricing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle Site Hub <=12.2.13 Site Hierarchy Flows Remote HTTP Exploit (CVSS 8.1)
CVE-2024-21265 8.1 - High - October 15, 2024

Vulnerability in the Oracle Site Hub product of Oracle E-Business Suite (component: Site Hierarchy Flows). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Site Hub. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Site Hub accessible data as well as unauthorized access to critical data or complete access to all Oracle Site Hub accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle EBS Financials 12.2.3-12.2.13 Common Components RCE via HTTP
CVE-2024-21282 8.1 - High - October 15, 2024

Vulnerability in the Oracle Financials product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Financials accessible data as well as unauthorized access to critical data or complete access to all Oracle Financials accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle EBS Sourcing Auctions CVE-2024-21279 Remote Auth Bypass pre-12.2.13
CVE-2024-21279 8.1 - High - October 15, 2024

Vulnerability in the Oracle Sourcing product of Oracle E-Business Suite (component: Auctions). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Sourcing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Sourcing accessible data as well as unauthorized access to critical data or complete access to all Oracle Sourcing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle CLM PS CVE-2024-21278: Low Privilege Remote HTTP Attack (12.2.313)
CVE-2024-21278 8.1 - High - October 15, 2024

Vulnerability in the Oracle Contract Lifecycle Management for Public Sector product of Oracle E-Business Suite (component: Award Processes). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Contract Lifecycle Management for Public Sector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Contract Lifecycle Management for Public Sector accessible data as well as unauthorized access to critical data or complete access to all Oracle Contract Lifecycle Management for Public Sector accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle MES PM v12.2.3-13 Device Integration RCE: Unauthorized Data Access
CVE-2024-21277 8.1 - High - October 15, 2024

Vulnerability in the Oracle MES for Process Manufacturing product of Oracle E-Business Suite (component: Device Integration). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle MES for Process Manufacturing accessible data as well as unauthorized access to critical data or complete access to all Oracle MES for Process Manufacturing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle EBS Work In Process Messages Auth Bypass (12.2.3-12.2.13)
CVE-2024-21276 8.1 - High - October 15, 2024

Vulnerability in the Oracle Work in Process product of Oracle E-Business Suite (component: Messages). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Work in Process. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Work in Process accessible data as well as unauthorized access to critical data or complete access to all Oracle Work in Process accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Oracle EBS Oracle Quoting UI 12.2.713 Network Low-Priv HTTP RCE
CVE-2024-21275 8.1 - High - October 15, 2024

Vulnerability in the Oracle Quoting product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.7-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quoting. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Quoting accessible data as well as unauthorized access to critical data or complete access to all Oracle Quoting accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

OAF·Personalization 12.2.x Privileged Remote Access in Oracle Apps
CVE-2024-21148 4.8 - Medium - July 16, 2024

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).

Oracle EBS Marketing Partners: Unauth RCE via HTTP (12.2.3-12.2.13)
CVE-2024-21169 - July 16, 2024

Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Partners). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Marketing accessible data as well as unauthorized read access to a subset of Oracle Marketing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

Oracle EBS Conv Proc 12.2-12.13 RPS & Sched VU - Low-Priv HTTP
CVE-2024-21089 6.5 - Medium - April 16, 2024

Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: Request Submission and Scheduling). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Concurrent Processing accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

Oracle EBS Prod Scheduling Import Utility unauthenticated HTTP CVE-2024-21088
CVE-2024-21088 - April 16, 2024

Vulnerability in the Oracle Production Scheduling product of Oracle E-Business Suite (component: Import Utility). Supported versions that are affected are 12.2.4-12.2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Production Scheduling. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Production Scheduling accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

CVE-2024-21079: Oracle Marketing Campaign LOV unauth HTTP
CVE-2024-21079 7.5 - High - April 16, 2024

Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Campaign LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Oracle Apps Tech Templates HTTP Auth Exposed 12.2.3-12.2.13 (CVE-2024-20990)
CVE-2024-20990 5.3 - Medium - April 16, 2024

Vulnerability in the Oracle Applications Technology product of Oracle E-Business Suite (component: Templates). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Applications Technology. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Applications Technology accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Unauth Network HTTP CVE-2024-21017: Oracle EBS LOV 12.2.312.2.13
CVE-2024-21017 6.1 - Medium - April 16, 2024

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle EBS: Unauth HTTP RCE in LOV (12.2.3-12.2.13) Data Compromise
CVE-2024-21019 6.1 - Medium - April 16, 2024

Oracle EBS LOV 12.2.3-12.2.13 CVE-2024-21022: UI RCE
CVE-2024-21022 6.1 - Medium - April 16, 2024

Oracle EBS CMO (LOV) CVE-2024-21024: Uauth HTTP Read/Write (12.2.3-12.2.13)
CVE-2024-21024 6.1 - Medium - April 16, 2024

Oracle E-Business Suite CMO-LOV RCE CVE-2024-21027 (12.2.3-12.2.13)
CVE-2024-21027 6.1 - Medium - April 16, 2024

Oracle EBS OMR/LOV: Unauth HTTP Exploit (12.2.312.2.13)
CVE-2024-21028 6.1 - Medium - April 16, 2024

Oracle EBS CMO v12.2.3-12.2.13 Unauth HTTP Access (LOV)
CVE-2024-21029 6.1 - Medium - April 16, 2024

Unauthenticated HTTP Exploit in Oracle CMRO 12.2.x (LOV)
CVE-2024-21030 6.1 - Medium - April 16, 2024

Oracle CMO LOV CVE-2024-21031: Unauth Access 12.2.3-12.2.13
CVE-2024-21031 6.1 - Medium - April 16, 2024

Oracle EBS CMRO LOV PrivEsc v12.2.3-12.2.13
CVE-2024-21032 6.1 - Medium - April 16, 2024

Oracle EBS CMRO 12.2.3-12.2.13 unauth HTTP flaw yields unauthorized data access
CVE-2024-21033 6.1 - Medium - April 16, 2024

CVE-2024-21038: Oracle EBS CMR LOV Vulnerability before 12.2.13 (6.1)
CVE-2024-21038 6.1 - Medium - April 16, 2024

Oracle EBS CMRO LOV 12.2.3-12.2.13 HTTP CVE-2024-21040
CVE-2024-21040 6.1 - Medium - April 16, 2024

Oracle EBS LOV Unauth HTTP Exploit, 12.2.3-12.2.13
CVE-2024-21042 - April 16, 2024

Oracle EBS LOV HTTP unauth Access CVE-2024-21046 before 12.2.13
CVE-2024-21046 6.1 - Medium - April 16, 2024

Oracle Workflow Admin UI Vulnerability (12.2.313) CVE202421071
CVE-2024-21071 9.1 - Critical - April 16, 2024

Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Admin Screens and Grants UI). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Workflow. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Oracle Marketing Campaign LOV RCE Unauth HTTP CVE-2024-21078
CVE-2024-21078 7.5 - High - April 16, 2024

Oracle EBS 12.2.3-12.2.13 UNC Auth Access CVE-2024-20958
CVE-2024-20958 5.4 - Medium - February 17, 2024

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Oracle Customer Interaction History 12.2.3-12.2.13 Outcome-Result Unauth HTTP
CVE-2024-20949 6.1 - Medium - February 17, 2024

Vulnerability in the Oracle Customer Interaction History product of Oracle E-Business Suite (component: Outcome-Result). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Interaction History. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Customer Interaction History, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Customer Interaction History accessible data as well as unauthorized read access to a subset of Oracle Customer Interaction History accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Oracle EBS 12.2.x CVE-2024-20947: Low-Priv HTTP Data Breach CRM User Mgmt
CVE-2024-20947 5.4 - Medium - February 17, 2024

Vulnerability in the Oracle Common Applications product of Oracle E-Business Suite (component: CRM User Management Framework). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Common Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Common Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Common Applications accessible data as well as unauthorized read access to a subset of Oracle Common Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

Oracle EBS 12.2.3-12.2.13 Eng Change Order HTTP Insecure Access
CVE-2024-20935 6.1 - Medium - February 17, 2024

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Installed Base. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Installed Base, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Installed Base accessible data as well as unauthorized read access to a subset of Oracle Installed Base accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle E Business Suite or by Oracle? Click the Watch button to subscribe.

Oracle
Vendor

Oracle E Business Suite
Product

Oracle E Business Suite

Don't miss out!

By the Year

Recent Oracle E Business Suite Security Vulnerabilities

Oracle Scripting 12.2.312.2.14 Unauth HTTP Access (CVE202561753) CVE-2025-61753 6.1 - Medium - October 21, 2025

Oracle EBS Marketing Admin: 12.2.3-12.2.14 Unauth RCE via HTTP CVE-2025-53072 9.8 - Critical - October 21, 2025

Oracle Concurrent Processing (BI Pub Int) 12.2.3-12.2.14 Remote Code Exec CVE-2025-61882 9.8 - Critical - October 05, 2025

Oracle Apps Framework 12.2.3-12.2.14: Low Priv Exploitable via HTTP (Pers) CVE-2025-50090 5.4 - Medium - July 15, 2025

Oracle Configurator v12.2.3-12.2.14 Orders: unauthorized data access CVE-2025-30720 6.1 - Medium - April 15, 2025

Oracle EBS iSurvey Module RCE 12.2.3-12.2.14 CVE-2025-30727 9.8 - Critical - April 15, 2025

Oracle EBS OBX Telephony CVE-2025-21489: 12.2.3-12.2.10 CVE-2025-21489 6.1 - Medium - January 21, 2025

Oracle Project Foundation CVE-2025-21506 (12.2.312.2.13) Tech Foundation CVE-2025-21506 8.1 - High - January 21, 2025

Oracle EBS Customer Care SR HTTP PrivEsc CVE-2025-21516 12.2.512.2.13 CVE-2025-21516 8.1 - High - January 21, 2025

Oracle Field Service Engineer Portal 12.2.3-13 HTTP Data Tampering CVE-2024-21271 8.1 - High - October 15, 2024

Oracle EBS 12.2.3-14: UI CVE-2024-21258 Allows Unauth Read Access CVE-2024-21258 5.3 - Medium - October 15, 2024

Oracle EBS Calendar Tasks: CVE-2024-21270 IDOR before 12.2.13 CVE-2024-21270 8.1 - High - October 15, 2024

Oracle Incentive Compensation RCE via HTTP in 12.2.3-12.2.13 (CVE-2024-21269) CVE-2024-21269 8.1 - High - October 15, 2024

Oracle Apps Manager 12.2.13- Diagnostics PrivEsc via HTTP CVE-2024-21268 8.1 - High - October 15, 2024

Oracle Cost Mgmt 12.2.12-12.2.13 Auth Bypass via Cost Planning (CVE-2024-21267) CVE-2024-21267 8.1 - High - October 15, 2024

Oracle Advanced Pricing Price List CVE-2024-21266: 12.2.3-12.2.13 CVE-2024-21266 8.1 - High - October 15, 2024

Oracle Site Hub <=12.2.13 Site Hierarchy Flows Remote HTTP Exploit (CVSS 8.1) CVE-2024-21265 8.1 - High - October 15, 2024

Oracle EBS Financials 12.2.3-12.2.13 Common Components RCE via HTTP CVE-2024-21282 8.1 - High - October 15, 2024

Oracle EBS Sourcing Auctions CVE-2024-21279 Remote Auth Bypass pre-12.2.13 CVE-2024-21279 8.1 - High - October 15, 2024

Oracle CLM PS CVE-2024-21278: Low Privilege Remote HTTP Attack (12.2.313) CVE-2024-21278 8.1 - High - October 15, 2024

Oracle MES PM v12.2.3-13 Device Integration RCE: Unauthorized Data Access CVE-2024-21277 8.1 - High - October 15, 2024

Oracle EBS Work In Process Messages Auth Bypass (12.2.3-12.2.13) CVE-2024-21276 8.1 - High - October 15, 2024

Oracle EBS Oracle Quoting UI 12.2.713 Network Low-Priv HTTP RCE CVE-2024-21275 8.1 - High - October 15, 2024

OAF·Personalization 12.2.x Privileged Remote Access in Oracle Apps CVE-2024-21148 4.8 - Medium - July 16, 2024

Oracle EBS Marketing Partners: Unauth RCE via HTTP (12.2.3-12.2.13) CVE-2024-21169 - July 16, 2024

Oracle EBS Conv Proc 12.2-12.13 RPS & Sched VU - Low-Priv HTTP CVE-2024-21089 6.5 - Medium - April 16, 2024

Oracle EBS Prod Scheduling Import Utility unauthenticated HTTP CVE-2024-21088 CVE-2024-21088 - April 16, 2024

CVE-2024-21079: Oracle Marketing Campaign LOV unauth HTTP CVE-2024-21079 7.5 - High - April 16, 2024

Oracle Apps Tech Templates HTTP Auth Exposed 12.2.3-12.2.13 (CVE-2024-20990) CVE-2024-20990 5.3 - Medium - April 16, 2024

Unauth Network HTTP CVE-2024-21017: Oracle EBS LOV 12.2.312.2.13 CVE-2024-21017 6.1 - Medium - April 16, 2024

Oracle EBS: Unauth HTTP RCE in LOV (12.2.3-12.2.13) Data Compromise CVE-2024-21019 6.1 - Medium - April 16, 2024

Oracle EBS LOV 12.2.3-12.2.13 CVE-2024-21022: UI RCE CVE-2024-21022 6.1 - Medium - April 16, 2024

Oracle EBS CMO (LOV) CVE-2024-21024: Uauth HTTP Read/Write (12.2.3-12.2.13) CVE-2024-21024 6.1 - Medium - April 16, 2024

Oracle E-Business Suite CMO-LOV RCE CVE-2024-21027 (12.2.3-12.2.13) CVE-2024-21027 6.1 - Medium - April 16, 2024

Oracle EBS OMR/LOV: Unauth HTTP Exploit (12.2.312.2.13) CVE-2024-21028 6.1 - Medium - April 16, 2024

Oracle EBS CMO v12.2.3-12.2.13 Unauth HTTP Access (LOV) CVE-2024-21029 6.1 - Medium - April 16, 2024

Unauthenticated HTTP Exploit in Oracle CMRO 12.2.x (LOV) CVE-2024-21030 6.1 - Medium - April 16, 2024

Oracle CMO LOV CVE-2024-21031: Unauth Access 12.2.3-12.2.13 CVE-2024-21031 6.1 - Medium - April 16, 2024

Oracle EBS CMRO LOV PrivEsc v12.2.3-12.2.13 CVE-2024-21032 6.1 - Medium - April 16, 2024

Oracle EBS CMRO 12.2.3-12.2.13 unauth HTTP flaw yields unauthorized data access CVE-2024-21033 6.1 - Medium - April 16, 2024

CVE-2024-21038: Oracle EBS CMR LOV Vulnerability before 12.2.13 (6.1) CVE-2024-21038 6.1 - Medium - April 16, 2024

Oracle EBS CMRO LOV 12.2.3-12.2.13 HTTP CVE-2024-21040 CVE-2024-21040 6.1 - Medium - April 16, 2024

Oracle EBS LOV Unauth HTTP Exploit, 12.2.3-12.2.13 CVE-2024-21042 - April 16, 2024

Oracle EBS LOV HTTP unauth Access CVE-2024-21046 before 12.2.13 CVE-2024-21046 6.1 - Medium - April 16, 2024

Oracle Workflow Admin UI Vulnerability (12.2.313) CVE202421071 CVE-2024-21071 9.1 - Critical - April 16, 2024

Oracle Marketing Campaign LOV RCE Unauth HTTP CVE-2024-21078 CVE-2024-21078 7.5 - High - April 16, 2024

Oracle EBS 12.2.3-12.2.13 UNC Auth Access CVE-2024-20958 CVE-2024-20958 5.4 - Medium - February 17, 2024

Oracle Customer Interaction History 12.2.3-12.2.13 Outcome-Result Unauth HTTP CVE-2024-20949 6.1 - Medium - February 17, 2024

Oracle EBS 12.2.x CVE-2024-20947: Low-Priv HTTP Data Breach CRM User Mgmt CVE-2024-20947 5.4 - Medium - February 17, 2024

Oracle EBS 12.2.3-12.2.13 Eng Change Order HTTP Insecure Access CVE-2024-20935 6.1 - Medium - February 17, 2024