[原文]Cross-site scripting (XSS) vulnerability in PeopleSoft Human Resources Management System (HRMS) 7.0, when "web enabled" using HTML Access, allows remote attackers to inject arbitrary web script or HTML via unspecified (1) debugging or (2) utility scripts.
PeopleSoft HRMS contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate URLs for malicious script upon submission to certain unspecified default debugging and utility scripts. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
Currently, there are no known upgrades or patches to correct this vulnerability. It is possible to temporarily work around the flaw by implementing the following workaround: Remove the line referencing utils from the file user/components/header.htm and remove the utils directory/folder completely. In some installations these scripts are duplicated in "/hrtest" or similar, and references to utils should be removed from there as well. Remove the file user/ASP/HA_DIRECT_DEP_DTL/HA_DIRECT_DEP_DTL_save.asp