PII Exposure On Oracle E-Business Suite



On 23 May 2022 I discovered and reported a security issue on one of Oracle Products “Oracle E-Business Suite” the vulnerability has been patched on the latest version Oracle security team recommend using the latest version.

Technical Description:

PII Exposure was found on “Oracle E-Business Suite” The issue allows an authenticated attacker to pull all the Users info such as (First name , last name and email address) from the system using the “WORKLIST VACATION RULES” users with low privileged access are able to to use the “WORKLIST VACATION RULES”

The security risk of the vulnerability is High with a CVSS (common vulnerability scoring system) count of 7.5
Exploitation of the web vulnerability requires a low privileged user account with restricted access
Successful exploitation of the vulnerability results in PII EXPOSURE of all users info.

Proof of Concept (PoC):

1- User register an account on the system by navigating to the following directory /OA_HTML/ibeCAcpSSOReg.jsp

2- User complete the registration process

3- User return to the login page and login to the system

4- On the home page user navigate to the “Vacation Rules”

5- User Create a new rule

6- User open the search option

7- Almost done, leave the input field empty then click on “Go”

Solution – Fix & Patch:

Apply the appropriate patch according to the July 2022 Oracle Critical Patch Update advisory.

Thanks for reading