CVE-2017-3360 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Customer Intelligence component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2 and 12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Customer Intelligence. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Customer Intelligence, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Customer Intelligence accessible data as well as unauthorized update, insert or delete access to some of Oracle Customer Intelligence accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability described in CVE-2017-3360 represents a critical security flaw within Oracle Customer Intelligence component of the Oracle E-Business Suite, specifically within the User Interface subcomponent. This vulnerability affects Oracle E-Business Suite versions 12.1.1, 12.1.2, and 12.1.3, making it a significant concern for organizations running these legacy systems. The flaw resides in the web interface layer, where it creates an attack vector that can be exploited by unauthenticated remote attackers who have network access through HTTP protocols. The vulnerability's classification as easily exploitable indicates that the attack surface is broad and the implementation requires minimal sophistication to execute successful attacks.
The technical nature of this vulnerability stems from inadequate input validation and authentication mechanisms within the Oracle Customer Intelligence interface. Attackers can leverage this weakness to gain unauthorized access to sensitive customer data and potentially manipulate the system's data integrity. The CVSS v3.0 base score of 8.2 reflects the severity of impact, particularly concerning confidentiality and integrity aspects. The vulnerability allows for complete access to all Oracle Customer Intelligence accessible data, which includes potentially sensitive customer information, business intelligence, and proprietary data that organizations rely upon for competitive advantage. Additionally, attackers can achieve unauthorized update, insert, or delete operations against specific data sets, creating both data exposure and data corruption risks.
The operational impact of this vulnerability extends beyond the immediate scope of Oracle Customer Intelligence, as successful exploitation can affect additional Oracle products within the E-Business Suite ecosystem. This cascading effect demonstrates the interconnected nature of enterprise applications and highlights how a single vulnerability in one component can compromise the entire suite. The requirement for human interaction from a person other than the attacker suggests that social engineering or targeted phishing attacks may be necessary to initiate the exploitation process, though the underlying vulnerability itself remains accessible to unauthenticated network access. This characteristic places organizations at risk not only from external attackers but also from insider threats or compromised user accounts that could be leveraged to exploit the vulnerability.
Organizations should implement multiple layers of defense to mitigate this vulnerability, beginning with immediate patching of affected Oracle E-Business Suite versions to the latest security updates. Network segmentation and access controls should be strengthened to limit exposure of the vulnerable interfaces to only authorized personnel and systems. Monitoring and logging mechanisms should be enhanced to detect unusual access patterns or attempts to exploit the vulnerability. The implementation of web application firewalls and intrusion detection systems can provide additional protection layers. From a compliance perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and CWE-352 (Cross-Site Request Forgery) categories, making it relevant to various security frameworks and standards including the NIST Cybersecurity Framework and ISO 27001 requirements. The ATT&CK framework would categorize this vulnerability under initial access techniques, specifically network service scanning and exploitation of remote services, while also potentially enabling privilege escalation and data exfiltration activities. Organizations should also conduct comprehensive security assessments to identify other potential vulnerabilities within their Oracle E-Business Suite implementations and establish robust incident response procedures to address potential exploitation attempts.