cbcvebase.
CVE-2021-2114
published 2021-01-20

CVE-2021-2114: Vulnerability in the Oracle Common Applications Calendar product of Oracle E-Business Suite (component: Applications Calendar). Supported versions that are…

PriorityP264high8.2CVSS 3.1
AVNACLPRNUIRSCCHILAN
EPSS
59.32%
99.0th percentile
Vulnerability in the Oracle Common Applications Calendar product of Oracle E-Business Suite (component: Applications Calendar). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.10. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Common Applications Calendar. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Common Applications Calendar, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Common Applications Calendar accessible data as well as unauthorized update, insert or delete access to some of Oracle Common Applications Calendar accessible data. CVSS 3.1 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

Affected

4 ranges
VendorProductVersion rangeFixed in
oraclecommon_applications_calendar12.1.1 – 12.1.3
oraclecommon_applications_calendar12.2.3 – 12.2.10
oracle_corporationcommon_applications_calendar
oracle_corporationcommon_applications_calendar

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is exploitable remotely over HTTP without authentication, targeting Oracle E-Business Suite Common Applications Calendar component. Network-level detection should monitor for anomalous unauthenticated HTTP requests to Oracle E-Business Suite Calendar endpoints.
  • The attack vector requires human interaction (e.g., a victim clicking a crafted link), suggesting a reflected/stored XSS or CSRF-style delivery mechanism. Monitor for suspicious cross-origin requests or unexpected redirects involving Oracle EBS Calendar URLs.
  • The scope is Changed (S:C in CVSS vector), meaning a successful exploit can impact components beyond Oracle Common Applications Calendar itself. Correlate alerts across Oracle EBS components when Calendar anomalies are detected.
  • ·Affected versions are Oracle E-Business Suite 12.1.1 through 12.1.3 and 12.2.3 through 12.2.10. Ensure patching scope covers both the 12.1.x and 12.2.x release trains.
  • ·The fix was included in Oracle's January 2021 Critical Patch Update (CPU). Verify that the cpujan2021 patch bundle has been applied to all affected EBS instances.

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:N
vendor_oracle8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.