CVE-2024-21261 — Vulnetix

CVE-2024-21261 PUBLISHED CVSS 4.900000095367432 MEDIUM

Vulnerability in Oracle Application Express (component: General). Supported versions that are affected are 23.2 and 24.1. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Express. While the vulnerability is in Oracle Application Express, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N).

EPSS 0.34% · 56.7th percentile

Risk Scores

CVSS v3.1

4.900000095367432

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N

EPSS Score

0.34%

56.7th percentile

Affected Products

Vendor	Product	Versions
oracle	application_express	24.1, 23.2
Oracle Corporation	Oracle Application Express	23.2, 24.1

Timeline

Oct 15, 2024 CVE Published
Oct 16, 2024 EPSS Score
Oct 16, 2024 Coalition ESS Score
Oct 21, 2024 Coalition ESS Score
Nov 3, 2024 EPSS Score
Nov 21, 2024 EPSS Score
Dec 10, 2024 EPSS Score
Dec 28, 2024 EPSS Score
Jan 15, 2025 EPSS Score
Feb 2, 2025 EPSS Score
Feb 10, 2025 CVE Updated
Feb 20, 2025 EPSS Score

References

Oracle Advisory vendor-advisory
https://nvd.nist.gov/vuln/detail/CVE-2024-21261 advisory

Open in Interactive Console →