SB20260120117 - Multiple vulnerabilities in Oracle WebCenter Sites
Published: January 20, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Uncontrolled Recursion (CVE-ID: CVE-2025-48924)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.
2) Infinite loop (CVE-ID: CVE-2021-45105)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the StrSubstitutor class. A remote attacker can pass specially crafted input to the application, consume all available system resources and cause denial of service conditions.
Payload example: ${${::-${::-$${::-j}}}}
3) Protection Mechanism Failure (CVE-ID: CVE-2025-41248)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the annotation detection mechanism does not correctly resolve annotations on methods within type hierarchies with a parameterized super type with unbounded generics. A remote attacker can gain access to sensitive information.
Remediation
Install update from vendor's website.