PeopleSoft PeopleTools contains a flaw that allows a remote cross site scripting attack. This flaw exists in the CRM component. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. No further details have been provided.

Upgrade to PeopleTools 8.48.16 or higher for the 8.48 line, or 8.49.08 for the 8.49 line, as it has been reported to fix this vulnerability. In addition, it is recommended that a file copy take place: Copy <ps_home>\webserv\<database name>\applications\peoplesoft\PORTAL\CfgOCIReturn.html from the tools location to
<weblogic_home>\config\CalicoDomain\applications\CalicoApp\CfgOCIReturn.html. It is unclear whether this copy is a workaround to the problem, or a step to take in addition to patching. See references.

• Security Tracker: 1019218
• CVE ID: 2008-0349 (see also: NVD)
• Bugtraq ID: 27229
• Secunia Advisory ID: 28518 28556
• Related OSVDB ID: 40279 40280 40282 40283 40284 40285 40286 40287 40288 40289 40290 40293 40294 40295 40296 40297 40298 40300 40301 40302 40303 40304 40305 40306 41689
• VUPEN Advisory: ADV-2008-0150
• News Article: http://www.infoworld.com/article/08/01/10/Oracle-to-ship-critical-security-patches_1.html
  http://www.techworld.com/security/news/index.cfm?newsID=11100
• Vendor Specific Advisory URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html
  http://www.peoplesoft.com/media/en/pdf/psftjan08cpunote.pdf
• Other Advisory URL: http://www12.itrc.hp.com/service/cki/docDisplay.do?docId=c00727143
• CERT: TA08-017A

Unknown or Incomplete