Bypassing Patches for "CVE-2022-21500" on Oracle EBS (IDORing Oracle) (CVE-2025-30707, CVE-2025-30708)

By -

Hello Readers, (Sorry for lengthy article)

In 2022, researcher Orwa Atyat discovered a critical vulnerability (CVE-2022-21500) in Oracle E-Business Suite, allowing attackers to register accounts, access the “Manage Proxy” page, and retrieve sensitive user data. Additionally, the Diagnostic Console could be abused to run SQL queries and extract passwords.

To address this, Oracle released patches and organizations implemented workarounds such as:

  1. Identity Gateways – Redirecting login attempts through solutions like Oracle IDCS or ForgeRock.
  2. Disabling Registration – Removing self-registration links or URLs (ibeCAcpSSOReg.jsp) to prevent account creation.
  3. Hiding Settings – Removing access to the “Manage Proxy” option from the UI.
  4. Blocking Access – Disabling the “Manage Proxy” page entirely.

Despite these measures, I successfully bypassed all four controls. Oracle acknowledged two of my findings (Here) and assigned the following new CVEs:

  1. CVE-2025-30707 – Oracle iStore (12.2.3–12.2.14), CVSS 7.5
  2. CVE-2025-30708 – Oracle User Management (12.2.4–12.2.14), CVSS 7.5

1.    Bypass for Control 1 & 2: 

  • Control #1 aims to block access to AppsLocalLogin.jsp by redirecting users to an Identity Gateway (e.g., Oracle IDCS). Since the restriction is applied only to this endpoint, it can be bypassed by directly accessing alternative registration links mentioned Below:
  • Control #2 involves removing the self-registration hyperlink or the ibeCAcpSSOReg.jsp page itself. However, the following URLs can still be accessed directly:

Error on Reg Page
Registration page is removed .
     Bypass links:

a. Register as an individual:

<domain>/OA_HTML/jtftmplh.jsp?tmpl_action=browse&ref=&_sendConfirmationEmail=N&_regErrorPage=ibeCRgdError.jsp&tmpl_ut_id=10041.00000&jtt_uua=n&tmpl_ut=IBE_INDIVIDUAL

 

b. Register as a Company:

<domain>/OA_HTML/jtftmplh.jsp?tmpl_action=browse&ref=&_sendConfirmationEmail=N&_regErrorPage=ibeCRgdError.jsp&tmpl_ut_id=10044.00000&jtt_uua=n&tmpl_ut=IBE_PRIMARY

Above Links will give access to user Registration Page.

----------------------------------------------------------------------------------------------


2.    Bypass for Control #3: 

Control #3 removes the “Manage Proxy” option from the settings menu(UI) after login..

Bypass Technique:
After logging in, directly visit the URL below. While the page throws an error, the Settings gear icon (top-right) remains visible. Clicking it reveals the previously hidden Manage Proxy option—only hidden on valid pages, not on error pages. From there, the original exploit path (as per CVE-2022-21500) can be resumed.

 

<domain>/OA_HTML/OA.jsp?page=/oracle/apps/fnd/umx/proxy/webui/ManageProxiesPG&_ri=0&_ti=885811246&retainAM=N&addBreadCrumb=N&oapc=2&oas=OqI5nLxz2z3Q8vdoLGDyHQ..

Error page shows the Manager Proxies option

----------------------------------------------------------------------------------------------

3.    Bypass for Control # 4: 

Control #4 disables the “Manage Proxy” page entirely.

Bypass Technique:
Even when the page is blocked, sensitive user data can still be accessed via the Workflow → Vacation Rules section. Use the URLs below to reach the feature:


Bypass URL 1:

<Domain>/OA_HTML/OA.jsp?OAFunc=WF_WORKLIST

Bypass URL 2: 

<Domain>/OA_HTML/OA.jsp?OAFunc=OAHOMEPAGE&aflog_level=STATEMENT&aflog_module=pa

 

Navigate to "TIP Vacation Rules" → Create Rule → Next → Reassign, then click the Search icon to view employee details.

 

Click on TIP hyperlink
Create a Rule



Successfully got the Employee List


==========================Something New====================

In addition to the previously mentioned bypasses, I discovered an unprotected endpoint that exposes the Purchase Order (PO) Buyers List.

Accessing PO Buyers:

Navigate to the following URL:

<domain>/OA_HTML/RF.jsp?function_id=12345

Once loaded, click on "Advanced Search".

In the buyer search field, simply perform an empty search.

This will return a complete list of all registered buyers in the system.

 


Happy Hunting. 


Comments

Post a Comment

Popular posts from this blog

Enjay CRM 1.0 - Multiple code executions via Unrestricted Terminal

By -
Image
  Enjay CRM is a collection which contains the CRM software along with Linux Ubuntu, however normal user don't have access to the underlying OS. Once the OS boots its runs the Enjay CRM software which has multiple read-only options.  However some of these options opens a terminal to perform a specific activity, This terminal is unrestricted and user can access the underlying OS as a ROOT and can run any command on OS. Underlying OS can be accessed using two methods; Also CVEs are assigned to these findings. 1. Using Ping menu (CVE-2024-41308):  it will open a terminal and user can click on File menu -> New Tab/New window. And root level terminal will be open. 2. Using Hardware info (CVE-2024-41309): Once the Hardware info page opens click on Help menu and either select "Open HardInfo Website" or "Report bug", it will open an unrestricted terminal where user can click on File menu -> New Tab/New window. And root level terminal will be open. Both the vulner...
Read more

Ericsson BSCS iX R18 Billing & Rating (ADMX, MX) - Stored XSS (CVE-2020-29144, CVE-2020-29145)

By -
Image
Dear Reader, I was able to identify stored XSS in multiple web base modules of Ericsson BSCS iX R18 Billing & Rating platform  Below are its details: # Software description: Ericsson Billing is a convergent billing solution for telecoms that combines an unrivaled combination of out-of-the box features and high configurability. As an evolution of the widely-installed Ericsson BSCS iX, Ericsson Billing provides a low-risk but effective route to capture and secure revenue streams and take advantage of business opportunities from both traditional telecom services as well as digital services, 5G and IoT. # Technical Details & Impact: There are multiple web base modules in BSCS iX e.g. ADMX, MX (monitoring center), CX etc. It was observed that ADMX and MX are vulnerable to stored XSS, In most test cases session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or exploiting admin's browsers using beef...
Read more

ZKBio Time - CSV Injection (CVE-2022-40472)

By -
Image
 Hi all, I am here with new post. Recently I have identified a csv injection vulnerability in one of the web-based time and attendance management software. Below are the details: Software Description: ZKBio Time is a powerful web-based time and attendance management software. With a powerful data handling capacity, the system can manage the attendance data of 10,000 employees. It can easily handle hundreds of devices and thousands of employees and their transactions. ZKBio Time comes with an intuitive user interface is able to manage timetable, shift and schedule and can easily generate attendance reports. Impacted Version: 8.0.7 (Build: 20220721.14829) and before. CVE ID: CVE-2022-40472 Vulnerability details: Login to ZKBio Time Application In the left Menu click on Messages -> Public Click on ADD new message button Write your Device Serial Number Mention any date/time and duration In Content Field Add your CSV injection payload. As shown below Any user who extract th...
Read more