SB20260120102 - Multiple vulnerabilities in Communications Unified Assurance
Published: January 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2025-8916)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Security and Provisioning (Bouncy Castle Java Library) component in Oracle Essbase. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
2) Prototype pollution (CVE-ID: CVE-2025-64718)
The vulnerability allows a remote attacker to execute arbitrary JavaScript code.
The vulnerability exists due to improper input validation. A remote attacker can pass specially crafted input to the application and perform prototype pollution attacks.
3) Resource exhaustion (CVE-ID: CVE-2025-61795)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling errors while processing multipart upload. Depending on JVM settings, application memory usage and application load, it is possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS.
4) Input validation error (CVE-ID: CVE-2024-46901)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of filenames if serving repositories via mod_dav_svn. A remote attacker can pass specially crafted filename to the application and perform a denial of service (DoS) attack.
5) Infinite loop (CVE-ID: CVE-2025-8194)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in the “tarfile” module when handling tar archives with negative offsets. A remote attacker can pass a specially crafted tar archive to the application and consume all available system resources, resulting in a deadlock and a denial of service.
6) Resource exhaustion (CVE-ID: CVE-2025-59375)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger large dynamic memory allocations via a small document and perform a denial of service (DoS) attack.
7) Resource exhaustion (CVE-ID: CVE-2025-55163)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
8) Resource exhaustion (CVE-ID: CVE-2025-5115)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
9) Resource exhaustion (CVE-ID: CVE-2024-12133)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources processing a large number of SEQUENCE OF or SET OF elements in a certificate. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
10) Out-of-bounds read (CVE-ID: CVE-2025-5318)
The vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the sftp_handle() function. A remote user can trigger an out-of-bounds read error and read contents of memory on the system.
11) Heap-based buffer overflow (CVE-ID: CVE-2025-65018)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the png_image_finish_read() function when processing 16-bit interlaced PNGs with 8-bit output format. A remote attacker can pass a specially crafted image file to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
12) Unchecked return value (CVE-ID: CVE-2025-54571)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient checks of the return value when handling HTTP requests. A remote attacker can override HTTP response Content-Type header and perform XSS attacks or disclose arbitrary script source code.
13) Improper Neutralization of Server-Side Includes (SSI) Within a Web Page (CVE-ID: CVE-2025-58098)
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to insufficient input validation with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi). The web server passes the shell-escaped query string to #exec cmd="..." directives. A remote attacker can send a specially crafted HTTP request to the server and potentially execute arbitrary code.
14) Resource exhaustion (CVE-ID: CVE-2025-46727)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
15) XML External Entity injection (CVE-ID: CVE-2025-54988)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input within the PDF parser module. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
Remediation
Install update from vendor's website.