SB2025102210 - Multiple vulnerabilities in Primavera Unifier
Published: October 22, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Uncontrolled Recursion (CVE-ID: CVE-2025-48924)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.
2) Improper input validation (CVE-ID: CVE-2025-5878)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the Platform (Enterprise Security API for Java (Legacy)) component in Primavera Unifier. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
3) Resource exhaustion (CVE-ID: CVE-2025-48976)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Out-of-bounds write (CVE-ID: CVE-2025-27363)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can pass a specially crafted font to the application that is using an affected version of the library, trigger an out-of-bounds write and execute arbitrary code on the target system.
Remediation
Install update from vendor's website.