CVE-2025-50090: 
Oracle E-Business Suite vulnerability analysis and mitigation

A vulnerability has been identified in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization), affecting versions 12.2.3-12.2.14. The vulnerability was disclosed on July 15, 2025, and is tracked as CVE-2025-50090. This security flaw affects the Oracle Applications Framework and requires human interaction from a person other than the attacker for successful exploitation (Oracle Advisory).

The vulnerability is characterized as easily exploitable by a low-privileged attacker with network access via HTTP to compromise Oracle Applications Framework. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.4, indicating medium severity, with impacts on both Confidentiality and Integrity. The CVSS Vector is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). The vulnerability has been classified as Cross-Site Request Forgery (CSRF) based on CWE-352 (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data, as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. The scope of the vulnerability is changed, meaning attacks may significantly impact additional products beyond the Oracle Applications Framework (Oracle Advisory).

Oracle has released patches to address this vulnerability as part of the July 2025 Critical Patch Update. Organizations running affected versions (12.2.3-12.2.14) of Oracle E-Business Suite should apply the security patches as soon as possible. Oracle strongly recommends that customers apply Critical Patch Update security patches without delay to address this vulnerability (Oracle Advisory).