CVE-2024-21178: 
Oracle Peoplesoft Enterprise Peopletools vulnerability analysis and mitigation

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal) affects versions 8.59, 8.60, and 8.61. This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (Oracle CPU).

The vulnerability has been assigned a CVSS 3.1 Base Score of 6.1, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring no privileges (PR:N) but does need user interaction (UI:R). The scope is changed (S:C), with low impacts to both confidentiality and integrity (C:L, I:L) and no impact to availability (A:N). The vulnerability has been classified as CWE-79 (Cross-site Scripting) (NVD).

Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data (Oracle CPU).

Oracle has released patches for affected versions (8.59, 8.60, and 8.61) as part of the July 2024 Critical Patch Update. Oracle strongly recommends that customers apply Critical Patch Update security patches as soon as possible due to the threat posed by successful attacks (Oracle CPU).