SQL Injection Vulnerability in PeopleSoft SCM by Oracle
CVE-2021-35541

5.4MEDIUM

Key Information:

Vendor: Oracle
Status: Peoplesoft Enterprise Scm Purchasing
Vendor: CVE Published:; 20 October 2021

Summary

An exploitable SQL injection vulnerability exists in the Supplier Portal component of Oracle's PeopleSoft Enterprise SCM product, which affects version 9.2. This vulnerability allows a low-privileged attacker with network access via HTTP to manipulate the database. To successfully exploit this vulnerability, the attacker must have human interaction from another user. The consequences of such attacks may include unauthorized updates, inserts, deletes, and read access to sensitive data, significantly impacting the confidentiality and integrity of PeopleSoft Enterprise SCM data. Organizations using this product should take immediate action to mitigate potential risks.

Affected Version(s)

PeopleSoft Enterprise SCM Purchasing 9.2

References

https://www.oracle.com/security-alerts/cpuoct2021.html

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 20, 2021
Vulnerability Reserved
Jun 28, 2021