It appears the issue applies to all 9.1 tools releases (not just 9.1.5). There does not appear to be a hotfix. Instead the fix is to apply the latest 9.1.5 update to your Tools Release.

CVE-2014-6565 Vulnerability in the JD Edwards EnterpriseOne Tools Portal component of Oracle JD Edwards Products. The supported version that is affected is
9.1 through The vulnerability allows unauthenticated network attacks via HTTP if you are using Configurable_HTML_URI_IURI_Component and
HTML_URI_IURI_Component Portal code in WebCenter Spaces or WebSphere Portal. Successful attack of this vulnerability can result in unauthorized
execution of code supported by the JDE E1 portal framework. CVSS Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector:
(AV:N/AC:L/Au:N/C:p/I:p/A:p). (legend) [Advisory] – see NOTE**

CVE-2014-6565 affects JD Edwards EnterpriseOne Tools Portal code 9.1 GA release through

Resolution(s) - CVE-2014-6565: Apply latest patch using JDE E1 tools dot release of