CVE-2021-35616

MEDIUM

Oracle Transportation Management 6.4.3 - Unauthorized Update/Insert...

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-35616. PoCs published by Ofirhamam.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2021-35616, targeting Oracle Transportation Management (OTM). The exploit includes methods for authentication bypass, SQL injection, and potential file upload capabilities, leveraging the vulnerable DBXMLServlet endpoint.

Description

Vulnerability in the Oracle Transportation Management product of Oracle Supply Chain (component: UI Infrastructure). The supported version that is affected is 6.4.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Transportation Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Transportation Management accessible data as well as unauthorized read access to a subset of Oracle Transportation Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

Exploits (1)

nomisec WORKING POC 11 stars

by Ofirhamam · poc

https://github.com/Ofirhamam/OracleOTM

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2021-35616, targeting Oracle Transportation Management (OTM). The exploit includes methods for authentication bypass, SQL injection, and potential file upload capabilities, leveraging the vulnerable DBXMLServlet endpoint.

Classification

Working Poc 95%

Attack Type

Sqli | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Oracle Transportation Management (OTM)

No auth needed

Prerequisites: Access to the target OTM instance · Network connectivity to the vulnerable endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2021.html

Scores

CVSS v3 5.4

EPSS 0.0280

EPSS Percentile 86.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

Status published

Products (1)

oracle/transportation_management 6.4.3

Published Oct 20, 2021

Tracked Since Feb 18, 2026