CVE-2025-30746 in iStoreinfo

Summary

by MITRE • 07/15/2025

Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle iStore accessible data as well as unauthorized read access to a subset of Oracle iStore accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/22/2025

The vulnerability identified as CVE-2025-30746 resides within Oracle iStore, a component of the Oracle E-Business Suite ecosystem that manages e-commerce functionalities including shopping cart operations. This flaw affects versions 12.2.3 through 12.2.14, representing a significant portion of the supported Oracle E-Business Suite release lineage. The vulnerability's classification as easily exploitable indicates that attackers can leverage standard network-based attack vectors without requiring specialized tools or extensive technical expertise. The security implications extend beyond the immediate iStore component as evidenced by the scope change aspect that allows impacts to propagate to additional Oracle products within the suite, creating a cascading risk profile that organizations must consider in their security posture assessments.

The technical exploitation of this vulnerability occurs through HTTP network access without requiring authentication credentials, presenting a particularly concerning attack surface for organizations operating exposed web services. The CVSS 3.1 base score of 6.1 reflects a moderate severity rating that combines confidentiality and integrity impacts, with the vector indicating network accessibility (AV:N), low attack complexity (AC:L), no privileged requirements (PR:N), and requiring human interaction (UI:R) to complete successful exploitation. The scope change component (S:C) suggests that while the vulnerability originates within iStore, its exploitation can potentially affect other Oracle E-Business Suite components, amplifying the potential damage. Attackers can achieve unauthorized update, insert, or delete operations against iStore accessible data, while also gaining unauthorized read access to specific subsets of data within the system, creating both data integrity and confidentiality risks.

The requirement for human interaction to complete exploitation indicates that this vulnerability likely involves social engineering or user interaction components such as phishing campaigns, malicious links, or other user engagement techniques that would typically be part of multi-stage attack approaches. This characteristic places additional emphasis on user awareness training and email filtering systems as defensive measures. Organizations utilizing affected Oracle E-Business Suite versions must consider both automated patching strategies and enhanced monitoring of iStore-related activities to detect potential exploitation attempts. The vulnerability's impact on data integrity and confidentiality aligns with CWE-284 (Improper Access Control) and CWE-79 (Cross-site Scripting) categories, while the scope change aspect relates to ATT&CK techniques involving privilege escalation and lateral movement within enterprise environments. The combination of network accessibility with scope expansion creates a particularly dangerous threat landscape where a single vulnerable component can potentially compromise entire business applications within the Oracle E-Business Suite ecosystem.

Organizations should implement immediate mitigations including network segmentation to limit access to iStore components, enhanced web application firewall rules, and comprehensive monitoring of HTTP traffic to identify suspicious patterns. The patch management process should prioritize the deployment of Oracle's security patches as soon as they become available, while also considering additional defensive measures such as user access controls and regular security assessments of the E-Business Suite environment. Given the potential for scope change impacts, security teams should conduct thorough assessments of their entire Oracle E-Business Suite deployment to identify any interconnected components that might be vulnerable to similar exploitation techniques, ensuring comprehensive protection across their enterprise applications.

Responsible

Oracle

Reservation

03/26/2025

Disclosure

07/15/2025

Moderation

accepted

CPE

ready

EPSS

0.00186

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!