My Oracle Support Banner

EMM: MAINT_LOOP_ID Accepts Single Quotes (Doc ID 2143660.1)

Last updated on OCTOBER 23, 2023

Applies to:

PeopleSoft Enterprise FIN Maintenance Management - Version 9.1 and later
Information in this document applies to any platform.


MAINT_LOOP_ID accepts single quotes this causes the loop schedule page to fail with a sql error but more importantly it allows for sql injection

Expected Behavior
It is expected that an edit on MAINT_LOOP_ID will not allow the field to be saved with single codes embedded in the value.

This issue can be replicated by performing the following steps:

1) Create a Maintenance Loop with a Loop ID that includes single quotes, at least one, and save.
2) Create a Loop Schedule with the Loop ID that includes single quotes.
3) Submit the Run Preventive Maintenance process for the Loop Schedule.

Business Impact
This bug represents an unacceptable security risk that would allow a malicious user to delete tables. We need to have this resolved before we are required to disclose this to our auditors.




To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.