Abstract Advisory Information


An improper-access-control vulnerability in the Job Opening component allows attackers to bypass intended data restrictions in PeopleSoft Enterprise HCM Talent Acquisition Manager.

Author: Dominique Righetto

Version affected


Name: PeopleSoft Enterprise HCM Talent Acquisition Manager

Versions: 8.61.06

Common Vulnerability Scoring System


Base Score: 5.4

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Patches


Oracle has released a patch for this vulnerability in the April 2025 Critical Update. It is recommended that you update PeopleSoft Enterprise HCM Talent Acquisition Manager to the latest available version.

References


  • Oracle Advisory: https://www.oracle.com/security-alerts/cpuapr2025.html
  • CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30713

Vulnerability Disclosure Timeline


  • 10/12/2024: Vulnerability discovery
  • 13/12/2024: Vulnerability Report to TCS-CERT
  • 17/12/2024: Vulnerability Report shared to the vendor through email
  • 17/12/2024: Response from Oracle (Checking the vuln)
  • 20/12/2024: Acknowledge of vulnerability from Oracle, vendor will publish on their own website, Vendor asked to keep this information confidential until the vuln is fixed
  • 24/12/2024: Update from vendor
  • 03/01/2025: Email to vendor with credit information
  • 06/01/2025: Vendor acknowledge about credit information
  • 14/01/2025: Update Asked to vendor
  • 14/01/2025: Vendor reply with vulnerability fix plan
  • 24/01/2025: Update received from Oracle
  • 24/02/2025: Update received from Oracle
  • 04/03/2025: Update asked to vendor
  • 11/04/2025: Request CVE ID to MITRE by Oracle
  • 11/04/2025: CVE number assigned (CVE-2025-30713)
  • 15/04/2025: Vulnerability disclosure and fixed release by Oracle (Addressed in: CPUApr2025)
  • 28/04/2025: Expected vulnerability disclosure