SB20260120185 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260120185

SB20260120185 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools

Published: January 20, 2026

Security Bulletin ID SB20260120185
Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Resource exhaustion (CVE-ID: CVE-2025-55163)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when handling HTTP/2 requests. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.


2) Uncontrolled Recursion (CVE-ID: CVE-2025-48924)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.


3) Improper input validation (CVE-ID: CVE-2026-21934)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the Push Notifications component in PeopleSoft Enterprise PeopleTools. A remote authenticated user can exploit this vulnerability to read and manipulate data.


4) Improper input validation (CVE-ID: CVE-2026-21938)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Portal component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


5) Improper input validation (CVE-ID: CVE-2026-21951)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Integration Broker component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.


6) Out-of-bounds write (CVE-ID: CVE-2025-9230)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when trying to decrypt CMS messages encrypted using password based encryption. A remote attacker can trigger an out-of-bounds write and execute arbitrary code on the target system.

Successful exploitation of the vulnerability requires that password based (PWRI) encryption support in CMS messages is enabled. 


7) Path traversal (CVE-ID: CVE-2025-27210)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to input validation error when processing directory traversal sequences affecting Windows device names like CON, PRN, and AUX. A local user can escalate privileges on the system.

Note, this vulnerability exists due to incomplete fix for #VU103223 (CVE-2025-23084).


8) Out-of-bounds read (CVE-ID: CVE-2025-9086)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when reading cookie path. A malicious server can set a specially crafted cookie path using the secure keyword, trigger an out-of-bounds read error and crash the application.


9) Buffer overflow (CVE-ID: CVE-2025-6965)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing aggregated terms. A remote attacker can pass specially crafted input to the application where the number of aggregate terms exceeds the number of columns available, trigger memory corruption and perform a denial of service (DoS) attack.


10) XML External Entity injection (CVE-ID: CVE-2025-54988)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input within the PDF parser module. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.


Remediation

Install update from vendor's website.

References