SB2020103043 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020103043

SB2020103043 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

Published: October 30, 2020 Updated: July 14, 2022

Security Bulletin ID SB2020103043
Severity
Medium
Patch available
YES
Number of vulnerabilities 11
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 64% Low 36%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2020-14847)

The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Query component in PeopleSoft Enterprise PeopleTools. A remote privileged user can exploit this vulnerability to gain access to sensitive information.


2) Improper Certificate Validation (CVE-ID: CVE-2020-9488)

The vulnerability allows a remote attacker to perform man-in-the-middle attack.

The vulnerability exists due to the Apache Log4j SMTP appender does not validate SSL certificates. A remote attacker can perform a MitM attack, intercept and decrypt network traffic.


3) Improper input validation (CVE-ID: CVE-2020-14806)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Query component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


4) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2020-1954)

The vulnerability allows a remote attacker to perform a man-in-the-middle (MitM) attack.

The vulnerability exists in the JMX Integration when the "createMBServerConnectorFactory" property of the default InstrumentationManagerImpl is not disabled. A remote attacker on the same host can perform a man-in-the-middle attack and gain access to all of the information that is sent and received over JMX. 


5) Improper input validation (CVE-ID: CVE-2020-14813)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the PIA Grids component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


6) Cross-site scripting (CVE-ID: CVE-2020-11022)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.


7) Improper input validation (CVE-ID: CVE-2020-14802)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


8) Improper input validation (CVE-ID: CVE-2020-14801)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


9) Improper input validation (CVE-ID: CVE-2020-14832)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Integration Broker component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


10) Improper input validation (CVE-ID: CVE-2020-14795)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


11) Out-of-bounds read (CVE-ID: CVE-2018-11058)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when parsing ASN.1 data. A remote attacker can use a specially constructed ASN.1 data, trigger out-of-bounds read error and read contents of memory on the system.

This vulnerability affects the following versions of RSA BSAFE Crypto-C Micro Edition:

  • version prior to 4.0.5.3 (in 4.0.x)


Remediation

Install update from vendor's website.

References