Security specialists reported multiple vulnerabilities in PeopleSoft Enterprise PeopleTools, which provides the underlying technology for PeopleSoft applications. According to the report, the vulnerabilities could grant malicious hackers privileged access to affected systems.
These are brief reports of the found vulnerabilities, besides their Common Vulnerability Scoring System (CVSS) scores.
CVE-2020-14847: The improper input validation within the Query component in PeopleSoft Enterprise PeopleTools allows remote privileged users to exploit this vulnerability to gain access to sensitive information.
The flaw received a 2.4/10 CVSS score.
CVE-2020-9488: The Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a Man-in-The-Middle (MitM) attack, intercept and decrypt network traffic. This is a low-severity vulnerability that received a 3.7/10 score.
CVE-2020-14806: An improper input validation within the Query component in PeopleSoft Enterprise PeopleTools allows remote hackers to exploit this flaw and access sensitive information.
The vulnerability received a 4.5/10 score.
CVE-2020-1954: The vulnerability resides in the JMX Integration when the “createMBServerConnectorFactory” property of the default InstrumentationManagerImpl is not disabled, allowing remote hackers to perform MiTM attacks and gain access to the compromised information.
This is a medium-severity vulnerability that received a 6.2/10 CVSS score.
CVE-2020-14813: ThE improper input validation within the PIA Grids component in PeopleSoft Enterprise PeopleTools allows remote non-authenticated attacker to exploit this vulnerability and access confidential data. The flaw received a 5.3/10 score.
CVE-2020-11022: The insufficient sanitization of user-supplied data in the regex operation in “jQuery.htmlPrefilter” allows remote attackers to pass specially crafted data to the application that uses .html(), .append() or similar methods for it and execute arbitrary JavaScript code in user’s browser in context of vulnerable website.
This is a low-severity score that received a 5.5/10 score.
CVE-2020-14802: The improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools allows remote non-authenticated attackers exploiting this flaw to read and manipulate data.
The vulnerability received a 5/10 CVSS score.
CVE-2020-14801: An improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools would allow remote non-authenticated attackers to exploit this vulnerability to read and manipulate data. The flaw received a 5.3/10 CVSS score.
CVE-2020-14832: The vulnerability exists due to improper input validation within the Integration Broker component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to access confidential data.
This is a medium-severity vulnerability that received a 5.6/10 CVSS score.
CVE-2020-14795: An improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools allows remote threat actors exploiting this vulnerability to gain access to sensitive information. The vulnerability received a 5.7/10 score.
CVE-2018-11058: The vulnerability exists due to a boundary condition when parsing ASN.1 data. A remote attacker can use a specially constructed ASN.1 data, trigger out-of-bounds read error and read contents of memory on the system. The vulnerability received a 6.2/10 score.
These flaws reside in the following versions of PeopleSoft Enterprise PeopleTools: 8.56, 8.57 & 8.58.
Even though these flaws could be exploited remotely by non-authenticated threat actors, experts have no found evidence of active exploitation attempts or the existence of a malware variant linked to the attack.
The vulnerabilities have been already patched, so developers recommend users of affected versions updating as soon as possible.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.