CVE-2017-3380 in E-Business Suite
Summary
by MITRE
Vulnerability in the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite (subcomponent: User Interface). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Advanced Outbound Telephony, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data. CVSS v3.0 Base Score 8.2 (Confidentiality and Integrity impacts).
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/16/2026
The vulnerability identified as CVE-2017-3380 resides within the Oracle Advanced Outbound Telephony component of Oracle E-Business Suite, specifically affecting the User Interface subcomponent. This flaw represents a significant security weakness that impacts multiple version releases including 12.1.1 through 12.2.6, making it a widespread concern across the Oracle E-Business Suite ecosystem. The vulnerability's classification as easily exploitable indicates that attackers can leverage it with minimal technical sophistication, particularly when network access is available through HTTP protocols.
This security flaw operates as an unauthenticated access vector that allows attackers to compromise the Oracle Advanced Outbound Telephony functionality without requiring valid credentials. The attack requires human interaction from individuals other than the attacker, suggesting a social engineering component or targeted user engagement that could be exploited through phishing campaigns or malicious links. The vulnerability's impact extends beyond just the targeted component, potentially affecting additional products within the Oracle E-Business Suite environment, creating a cascading security risk that organizations must address comprehensively.
The technical implications of this vulnerability are severe, as successful exploitation can lead to unauthorized access to critical data within the Oracle Advanced Outbound Telephony system. Attackers can gain complete access to all accessible data within this component, along with unauthorized capabilities to update, insert, or delete data in some portions of the system. This dual impact on both confidentiality and integrity aligns with CWE-284 (Improper Access Control) and represents a critical weakness in the system's security architecture. The CVSS v3.0 base score of 8.2 indicates a high severity level that reflects the potential for significant data compromise and system integrity violations.
From an operational standpoint, this vulnerability creates substantial risk for organizations using Oracle E-Business Suite, particularly those with extensive telephony operations and customer communication systems. The ability to compromise telephony data could lead to unauthorized access to customer information, financial records, or sensitive business communications. The requirement for human interaction suggests that organizations should implement additional user education and awareness programs alongside technical controls. This vulnerability demonstrates the importance of comprehensive security assessments that consider not just individual components but their interconnected impacts within enterprise systems.
Organizations should prioritize immediate remediation through official Oracle patches and updates, while implementing network segmentation and access controls to limit exposure. The vulnerability's classification as a remote attack vector without authentication requirements makes it particularly dangerous in environments where network boundaries are not properly secured. Implementation of web application firewalls, monitoring systems, and regular security assessments can help detect and prevent exploitation attempts. The attack pattern aligns with ATT&CK technique T1190 (Exploit Public-Facing Application) and emphasizes the critical need for maintaining up-to-date security patches across all enterprise applications, particularly those handling sensitive telephony and business data.