ISS X-Force has discovered a flaw in the PeopleSoft Application Messaging Gateway.
"The Application Messaging Gateway is configured to run by default on the PeopleSoft Web server, and is accessible as a Java servlet. Attackers can use an XML External Entities (XXE) attack to read any file on the vulnerable PeopleSoft application server under the security context of the Web server process. This attack may lead to the exposure of confidential information stored in vulnerable PeopleSoft installations."
Affected versions include PeopleTools 8.1x prior to 8.19. PeopleTools 8.4x is not vulnerable.
For more info click here.