← back
CVE-2024-20953

CVE-2024-20953

CVSS 8.8 HIGHEPSS 3.4%● KEVCWE-502
In short

Oracle Agile PLM version 9.3.6 has a flaw in its export feature that allows a logged-in user to take complete control of the system through a network request. This vulnerability can lead to theft, modification, or destruction of data.

Technical detail

CWE-502 (Deserialization of Untrusted Data) vulnerability in Oracle Agile PLM 9.3.6 export component. Attack vector is network-based (HTTP), requires low-privilege authenticated access, and no user interaction. Successful exploitation results in complete system compromise (confidentiality, integrity, and availability impact).

Summary generated and translated by AI from the official description.
Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Export). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected products
Oracle Corporation · Agile PLM Framework

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-20953https://www.oracle.com/security-alerts/cpujan2024.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-24-096/