This vulnerability affects Oracle iSupplier Portal component of Oracle E-Business Suite versions 12.2.3 through 12.2.15. It permits a low privileged attacker with network access over HTTPS to compromise the portal, requiring user interaction from a third party. The CVSS 3.1 base score is 8.0, reflecting high impact on confidentiality, integrity, and availability. Oracle’s June 2026 Critical Security Patch Update advisory references this vulnerability among many others but does not explicitly state a dedicated patch or fix for this CVE in the provided content. Oracle strongly recommends applying the Critical Security Patch Update promptly to mitigate risks.

Successful exploitation can lead to full takeover of the Oracle iSupplier Portal, affecting confidentiality, integrity, and availability of the system. The attack requires user interaction, which may limit automated exploitation but still poses a significant risk given the high CVSS score and potential for system compromise.

Oracle’s advisory strongly recommends applying the June 2026 Critical Security Patch Update as soon as possible to address this and other vulnerabilities. Until patches are applied, risk may be reduced by blocking network protocols required by the attack and restricting privileges or package access for users who do not need them, though these measures may impact functionality. Patch status for this specific vulnerability is not explicitly confirmed in the advisory content; therefore, users should consult the official Oracle advisory and patch documentation for the latest remediation guidance.