The vulnerability exists in the Integration Broker component of Oracle PeopleSoft Enterprise PeopleTools. An unauthenticated attacker can send specially crafted HTTP requests to a publicly exposed interface, which may allow them to perform unauthorized updates, inserts, or deletes on database records, and to read a subset of data that should otherwise be protected. Although the description does not explicitly describe the issue as an XSS flaw, the cited CWE‑79 and the nature of the traffic imply a cross‑site scripting style weakness that is exploitable without authentication.

PeopleSoft Enterprise PeopleTools versions 8.60, 8.61, and 8.62 are affected. These releases expose the Integration Broker API over HTTP without requiring user authentication, allowing remote traffic to reach the vulnerable code path.

The CVSS 3.1 base score of 6.1 reflects moderate severity, with limited impact on confidentiality and integrity and no availability impact. The EPSS score is less than 1 %, indicating a very low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation demands that an attacker send a malicious HTTP request and, because the attack requires a separate user to interact with the system, also depends on social‑engineering or human‑interaction tactics. The scope is potentially broader than PeopleSoft alone, as the breach may affect other integrated applications.