PT-2023-25885 · Unknown · Smartbpm.Net

Alan Chung

Publicado

2023-07-10

Atualizado

2023-07-13

CVE-2023-37288

CVSS v3.1

7.5

Alta

Vetor

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions SmartBPM.NET (affected versions not specified)

Description The issue concerns a path traversal vulnerability within the file download function of SmartBPM.NET, allowing an unauthenticated remote attacker to access arbitrary system files. Additionally, there is a vulnerability related to the use of a hard-coded authentication key, which can be exploited by an unauthenticated remote attacker to access the system with regular user privileges, enabling them to read application data and execute submission and approval processes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Relative Path Traversal

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-23CWE-22

Identificadores relacionados

CVE-2023-37288

Produtos afetados

Smartbpm.Net

PT-2023-25885 · Unknown · Smartbpm.Net

CVE-2023-37288

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 6