CVE-2021-2015

CWE-502 — Deserialization of Untrusted Data CWE-20 — Improper Input Validation CWE-352 — Cross-Site Request Forgery (CSRF)CWE-362 — Race Condition CWE-79 — Cross-site Scripting (XSS)CWE-191 CWE-200 — Information Exposure CWE-75424 documents10 sources

Severity

8.2HIGH

EPSS

1.0%

top 23.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Workflow Oracle Corporation Workflow Oracle Data Integrator +1 more

Timeline

PublishedJan 20

Latest updateJun 19

Description

Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Worklist). Supported versions that are affected are 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Workflow, attacks may significantly impact additional products. Successful attacks of this vulnerab…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:NExploitability: 2.8 | Impact: 4.7

Affected Packages4 packages

▶NVDoracle/workflow12.2.3 — 12.2.10

▶CVEListV5oracle_corporation/workflow12.2.3-12.2.10

▶NVDoracle/data_integrator12.2.1.3.0, 12.2.1.4.0+1

▶NVDoracle/enterprise_manager_ops_center12.4.0.0

🔴Vulnerability Details

GHSA

GHSA-8ww5-7wc7-5j2j: Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Worklist)↗2022-05-24

▶

GHSA

OpenNMS Horizon vulnerable to XSS↗2022-05-24

▶

GHSA

Improper one time password handling in devise-two-factor↗2022-04-07

▶

OSV

php7.2, php7.4 vulnerabilities↗2022-03-03

▶

OSV

php7.0 vulnerabilities↗2022-02-22

▶

💥Exploits & PoCs

Exploit-DB

ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)↗2021-05-26

▶

📋Vendor Advisories

Red Hat

kernel: btrfs: use latest_dev in btrfs_show_devname↗2024-06-19

▶

Red Hat

kernel: tpm: efi: Use local variable for calculating final log size↗2024-02-27

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party Tools (Apache Standard Taglibs) — CVE-2015-0254↗2021-07-15

▶

Red Hat

json-smart: uncaught exception may lead to crash or information disclosure↗2021-02-23

▶

Oracle

Oracle Oracle E-Business Suite Risk Matrix: Worklist — CVE-2021-2015↗2021-01-15

▶

🕵️Threat Intelligence

Krebs

Kaseya Left Customer Portal Vulnerable to 2015 Flaw in its Own Software↗2021-07-08

▶