PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-3300 Oracle CVE debrief

CVE-2017-3300 is a medium-severity Oracle PeopleSoft Enterprise PeopleTools issue affecting the Multichannel Framework in supported versions 8.54 and 8.55. The NVD record describes it as an unauthenticated, network-accessible flaw over HTTP that requires human interaction from another user. Successful exploitation can lead to unauthorized data read and modification within PeopleTools-accessible data, with possible impact beyond PeopleTools itself.

Vendor
Oracle
Product
CVE-2017-3300
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Oracle PeopleSoft administrators, application owners, and security teams running PeopleTools 8.54 or 8.55—especially environments exposing Multichannel Framework functionality to users over HTTP. Internet-facing deployments and systems supporting sensitive HR, finance, or ERP workflows should pay particular attention.

Technical summary

NVD classifies the weakness as CWE-79 (cross-site scripting) and assigns CVSS v3.0 6.1/Medium with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerable CPEs in the record are oracle:peoplesoft_enterprise_peopletools 8.54 and 8.55. The issue is exploitable without authentication, but requires user interaction, and the scope change indicates the resulting impact can extend beyond the immediate component.

Defensive priority

Medium priority, but treat as high urgency if PeopleSoft is user-facing or processes sensitive data. Because exploitation is network-reachable and unauthenticated, patching and exposure reduction should not be deferred.

Recommended defensive actions

  • Apply Oracle's January 2017 CPU remediation referenced by the vendor advisory for affected PeopleSoft PeopleTools versions.
  • Verify whether any PeopleSoft Enterprise PeopleTools 8.54 or 8.55 instances are in use and whether the Multichannel Framework is enabled or reachable.
  • Reduce exposure to HTTP-accessible PeopleSoft interfaces where possible, especially for externally reachable environments.
  • Review authentication, session handling, and input/output controls around user-facing PeopleSoft workflows.
  • Monitor for anomalous user interaction patterns and unexpected data changes in PeopleTools-accessible records.
  • Use the official CVE and NVD records to track any later modifications or reference updates for this CVE.

Evidence notes

This debrief is based on the supplied NVD CVE metadata and references. The record lists vulnerability status as Modified, published on 2017-01-27, with affected CPEs for Oracle PeopleSoft Enterprise PeopleTools 8.54 and 8.55. NVD also records CWE-79 and the CVSS v3.0 vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Oracle's January 2017 CPU advisory is referenced by NVD as the vendor patch source. No KEV entry was supplied for this CVE.

Official resources

Publicly disclosed in the CVE record on 2017-01-27, with the vendor advisory referenced by NVD as Oracle's January 2017 Critical Patch Update material.