Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network HTTP exposure with low complexity, requires a low-privileged authenticated account per Oracle (PR:L), no UI, full read/write on Student Financials data, no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise CS Student Financials product of Oracle PeopleSoft (component: Other). The supported version that is affected is 9.2.38. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Student Financials. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CS Student Financials accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Student Financials accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) network HTTP access to a deployed PeopleSoft Enterprise CS Student Financials 9.2.38 instance, (2) any valid low-privileged authenticated session against that PeopleSoft environment (PR:L per CVSS - not pre-authentication), and (3) the Student Financials module being enabled and reachable from the authenticated user's role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N indicates a network-reachable, low-complexity attack requiring only a low-privileged account and no user interaction, yielding full read/write impact on accessible data - a realistic priority for any institution exposing PeopleSoft to authenticated users (which is the norm for student self-service portals). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who obtains or registers a low-privileged PeopleSoft account (for example, a student self-service login, a former-employee credential, or a phished applicant account) sends crafted HTTP requests to the Student Financials module over the standard PIA web tier. With no user interaction or additional privilege escalation required, the attacker reads or modifies tuition charges, payment records, refund destinations, or financial-aid balances belonging to other students. … |
| Remediation | Apply the Oracle Critical Patch Update for PeopleSoft published June 2026 per advisory https://www.oracle.com/security-alerts/cspujun2026.html, which is the vendor-released patch addressing this issue - the input does not enumerate an exact post-patch build string, so administrators should consult that advisory for the precise Tools and Application patch IDs aligning with their 9.2.38 baseline. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37342