Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network HTTP exposure with low complexity, requires a low-privileged authenticated account per Oracle (PR:L), no UI, full read/write on Student Financials data, no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Vulnerability in the PeopleSoft Enterprise CS Student Financials product of Oracle PeopleSoft (component: Other). The supported version that is affected is 9.2.38. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise CS Student Financials. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise CS Student Financials accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise CS Student Financials accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
Unauthorized data access and modification in Oracle PeopleSoft Enterprise CS Student Financials 9.2.38 allows low-privileged attackers with HTTP network access to read, create, delete, or modify all data accessible to the Student Financials module. Oracle rates this CVSS 8.1 due to high confidentiality and integrity impact with no availability effect. No public exploit identified at time of analysis, but the 'easily exploitable' vendor characterization and minimal privilege requirement make this a priority for institutions running affected campus financial systems.
Technical ContextAI
PeopleSoft Enterprise CS (Campus Solutions) Student Financials is the module that handles tuition billing, financial aid disbursement, payment processing, student account receivables, and refund management in higher-education ERP deployments. The affected version is 9.2.38, served over HTTP by PeopleSoft's PIA (PeopleSoft Internet Architecture) and Application Server tier. Oracle's advisory tags this under 'Other' component without disclosing the root cause class, and no CWE is assigned in the input; however, the tag 'Authentication Bypass' in the intelligence feed combined with PR:L (not PR:N) suggests an authorization or access-control weakness where a low-privileged authenticated user can escalate to access data beyond their entitlement, rather than a pre-auth bypass.
RemediationAI
Apply the Oracle Critical Patch Update for PeopleSoft published June 2026 per advisory https://www.oracle.com/security-alerts/cspujun2026.html, which is the vendor-released patch addressing this issue - the input does not enumerate an exact post-patch build string, so administrators should consult that advisory for the precise Tools and Application patch IDs aligning with their 9.2.38 baseline. Until the CPU is applied, restrict network reachability of the PeopleSoft PIA to trusted networks (VPN or campus-only) to limit the pool of low-privileged accounts that can reach the vulnerable HTTP surface; audit Student Financials role grants to remove unnecessary access to financial transaction pages; and review web server access logs for anomalous requests against Student Financials components. These compensating controls reduce exposure but do not eliminate risk for any campus that must keep student self-service externally reachable, which is the typical deployment.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37342