LiveActive security incident?Get immediate response
CVE Record

CVE-2019-2483: Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart).

Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 and 12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle iStore accessible data as well as unauthorized update, insert or delete access to some of Oracle iStore accessible data. CVSS 3.0 Base Score 8.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).

HighCVSS 8.2Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2019-2483 is a high-severity Oracle iStore flaw in Oracle E-Business Suite Shopping Cart. An unauthenticated network attacker can target it over HTTP, but exploitation requires user interaction. Successful compromise could expose critical iStore data and allow some unauthorized data changes.

Executive priority

Treat this as a high-priority business application risk if Oracle iStore is deployed, especially if exposed beyond trusted networks. The main concern is critical data access, not service outage. Urgency depends on exposure and patch status.

Technical view

Oracle reports affected iStore versions 12.1.1 through 12.1.3 and 12.2.3 through 12.2.8. CVSS 3.0 is 8.2: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N. The scope-change flag indicates compromise may affect products beyond Oracle iStore.

Likely exposure

Exposure is most likely where Oracle E-Business Suite includes Oracle iStore and its Shopping Cart functionality is reachable over HTTP by users or external parties. Confirm exact deployed versions against Oracle inventories; the provided sources do not identify affected configurations beyond listed versions.

Exploitation context

The sources support easy remote exploitability over HTTP with no attacker privileges, requiring human interaction. The source bundle marks KEV as false and provides no cited evidence of active exploitation. No exploit maturity or public exploit details are included.

Researcher notes

The public record is concise and does not include a CWE, root cause, exploit detail, or named fixed versions in the provided bundle. Validation should focus on product presence, version evidence, HTTP exposure, and Oracle advisory alignment.

Mitigation direction

  • Check Oracle’s January 2019 advisory and current vendor guidance for the affected iStore versions.
  • Prioritize remediation for internet-accessible or partner-facing Oracle iStore deployments.
  • Restrict HTTP access to iStore where business processes permit until remediated.
  • Review monitoring for suspicious iStore Shopping Cart activity and unexpected data changes.

Validation and detection

  • Inventory Oracle E-Business Suite instances and confirm whether Oracle iStore is enabled.
  • Compare deployed iStore versions with 12.1.1-12.1.3 and 12.2.3-12.2.8.
  • Verify whether Shopping Cart routes are reachable over HTTP from untrusted networks.
  • Confirm remediation status against Oracle CPU records and internal patch evidence.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2019-2483 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
8.2 (3.0)
Known Exploited
No
Published

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
8.2CVSS 3.0HighCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N2.84.7Primary CVE score

Vulnerability scoring details

Base CVSS 3.0 score

8.2High
CVSS 3.0 vector shape for CVE-2019-2483Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Oracle CorporationOracle iStore12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8Listed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.