SB20251022138 - Multiple vulnerabilities in PeopleSoft Enterprise PeopleTools
Published: October 22, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 14 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2025-61750)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Query component in PeopleSoft Enterprise PeopleTools. A remote authenticated user can exploit this vulnerability to gain access to sensitive information.
2) Improper input validation (CVE-ID: CVE-2025-53059)
The vulnerability allows a remote privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the OpenSearch Dashboards component in PeopleSoft Enterprise PeopleTools. A remote privileged user can exploit this vulnerability to gain access to sensitive information.
3) Input validation error (CVE-ID: CVE-2025-31672)
The vulnerability allows a remote attacker to manipulate file parsing behavior.
The vulnerability stems from the way Apache POI handles zip entries in OOXML format files. When duplicate file names (including paths) exist within the zip structure, different products may select different zip entries with the same name, leading to inconsistent data interpretation. A remote attacker can manipulate file parsing behavior through specially crafted OOXML files containing ZIP entries with duplicate file names. This manipulation can result in inconsistent data processing across different systems, potentially leading to security issues and data integrity concerns.
4) Protection Mechanism Failure (CVE-ID: CVE-2025-50181)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to incorrect implementation of the Redirect object when handling redirects and retries. A remote attacker can force the library to follow redirects even if explicitly disabled with PoolManager.
5) Improper input validation (CVE-ID: CVE-2025-53048)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Rich Text Editor component in PeopleSoft Enterprise PeopleTools. A remote authenticated user can exploit this vulnerability to read and manipulate data.
6) Improper input validation (CVE-ID: CVE-2025-53065)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
7) Improper input validation (CVE-ID: CVE-2025-53063)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote authenticated user can exploit this vulnerability to read and manipulate data.
8) Improper input validation (CVE-ID: CVE-2025-53061)
The vulnerability allows a remote privileged user to read and manipulate data.
The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote privileged user can exploit this vulnerability to read and manipulate data.
9) Improper input validation (CVE-ID: CVE-2025-53055)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The vulnerability exists due to improper input validation within the PIA Core Technology component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.
10) Improper input validation (CVE-ID: CVE-2024-54160)
The vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the OpenSearch Dashboards (OpenSearch Dashboards) component in PeopleSoft Enterprise PeopleTools. A remote authenticated user can exploit this vulnerability to read and manipulate data.
11) Expected behavior violation (CVE-ID: CVE-2025-4575)
The vulnerability may allow an attacker to gain unauthorized access to the application.
The vulnerability exists due to an error in code related to usage of the "-addreject" option to reject certain x509 certificates. If the option is used, the certificated will be added as trusted instead of rejecting it.
12) Improper input validation (CVE-ID: CVE-2025-53050)
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Performance Monitor component in PeopleSoft Enterprise PeopleTools. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
13) Improper access control (CVE-ID: CVE-2025-48734)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions to enum properties. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
14) Path traversal (CVE-ID: CVE-2025-4517)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to input validation error in the tarfile module when extracting files from an archive with filter="data". A remote attacker can pass specially crafted archive to the application and write files to arbitrary locations on the system outside the extraction directory.
Remediation
Install update from vendor's website.