CVE-2024-21245

Name of the Vulnerable Software and Affected Versions JD Edwards EnterpriseOne Tools versions prior to 9.2.9.0

Description The issue is related to a component of the JD Edwards EnterpriseOne Tools system, specifically the Business Logic Infra SEC, which has a flaw in its data source confirmation mechanism. This flaw can be exploited by a remote attacker to gain unauthorized access to protected information and modify, add, or delete data using a specially crafted HTML page. The attack requires human interaction from someone other than the attacker and can significantly impact additional products. Successful attacks can result in unauthorized update, insert, or delete access to some of JD Edwards EnterpriseOne Tools' accessible data, as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools' accessible data.

Recommendations For versions prior to 9.2.9.0, update to version 9.2.9.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Business Logic Infra SEC component to minimize the risk of exploitation. Avoid using specially crafted HTML pages that could exploit the vulnerability in the data source confirmation mechanism until the issue is resolved.