CVE-2015-4854
Description
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Single Signon. NOTE: the previous information is from the October 2015 CPU. Oracle has not commented on third-party claims that this issue is a cross-site scripting (XSS) vulnerability, which allows remote attackers to inject arbitrary web script or HTML via the Domain parameter in the CfgOCIReturn servlet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Oracle E-Business Suite CfgOCIReturn servlet allows remote attackers to inject arbitrary web script via the Domain parameter.
Vulnerability
The Oracle Application Object Library component in Oracle E-Business Suite versions 12.0.6, 12.1.3, 12.2.3, and 12.2.4 contains a cross-site scripting (XSS) vulnerability in the CfgOCIReturn servlet [1]. The issue stems from insufficient sanitization of the Domain parameter, allowing injection of arbitrary web script or HTML [1]. Oracle's October 2015 Critical Patch Update (CPU) addresses this unspecified vulnerability, though external researchers have identified it as stored/reflected XSS [1].
Exploitation
An unauthenticated remote attacker can craft a malicious URL containing specially crafted JavaScript in the Domain parameter of the CfgOCIReturn servlet [1]. When a victim user clicks the link, the injected script executes in the context of the Oracle E-Business Suite session, without requiring any prior authentication [1]. The attack complexity is medium, as it requires user interaction to follow the crafted link [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, leading to potential impersonation and information disclosure [1]. The attacker can perform actions on behalf of the victim, access sensitive data, or redirect the user to malicious sites. The CVSS score is 4.3 (Medium) with partial integrity impact and no impact on confidentiality or availability [1].
Mitigation
Oracle released a fix in the CPU of October 2015 [1]. Affected organizations should apply the patch corresponding to their Oracle E-Business Suite version (12.0.6, 12.1.3, 12.2.3, or 12.2.4). No workaround is provided in the public advisories.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:a:oracle:e-business_suite:12.0.6:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:oracle:e-business_suite:12.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:e-business_suite:12.2.4:*:*:*:*:*:*:*
- Range: 12.0.6, 12.1.3, 12.2.3, 12.2.4
- Range: 12.0.6, 12.1.3, 12.2.3, 12.2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.htmlnvdPatchVendor Advisory
- packetstormsecurity.com/files/134100/Oracle-E-Business-Suite-12.1.4-Cross-Site-Scripting.htmlnvd
- seclists.org/fulldisclosure/2015/Oct/100nvd
- www.securityfocus.com/archive/1/536772/100/0/threadednvd
- www.securityfocus.com/bid/77253nvd
- www.securitytracker.com/id/1033877nvd
- erpscan.io/advisories/erpscan-15-027-oracle-e-business-suite-cross-site-scripting-vulnerability/nvd
News mentions
0No linked articles in our index yet.