CVE-2024-21148: 
Oracle E-Business Suite vulnerability analysis and mitigation

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.3-12.2.13. This vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework. The vulnerability was discovered by Nguyen Quach Duy Anh and disclosed in July 2024 (Oracle CPU).

The vulnerability requires human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products (scope change). The vulnerability has been assigned a CVSS v3.1 Base Score of 4.8 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data (Oracle CPU).

Oracle has released patches for affected versions (12.2.3-12.2.13) as part of the July 2024 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches without delay (Oracle CPU).