This vulnerability allows remote attackers to inject arbitrary SQL on vulnerable installations of Oracle E-Business Suite Business Intelligence. Authentication is not required to exploit this vulnerability.
The specific flaw exists in the APPS.ICXSUPWF.DisplayContacts package. The procedure fails to validate the contents of a WHERE clause containing user supplied input. This allows an attacker to execute arbitrary SQL statements in the context of the APPS user.