Lorenzo Turazzi L B De Sa

Name of the Vulnerable Software and Affected Versions: Venki Supravizio BPM versions up to 18.0.1 Description: The issue is related to an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, which can lead to remote code execution. Recommendations: For versions up to 18.0.1, consider restricting file upload capabilities to prevent malicious file uploads until a patch is available. As a temporary workaround, limit access to areas of the application where file uploads are possible to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Venki Supravizio BPM versions up to 18.0.1 Description: The issue is related to an NTLM hash leak, which allows authenticated attackers with Application Administrator access to escalate privileges on the underlying host system. This can be exploited by attackers to gain higher privileges. Recommendations: For versions up to 18.0.1, update to a version later than 18.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the Application Administrator role to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Venki Supravizio BPM versions up to 18.1.1 Description: The login page of Venki Supravizio BPM is vulnerable to an open redirect that leads to reflected XSS. This issue can be exploited via a specially crafted link. Recommendations: For versions up to 18.1.1, consider disabling the login page functionality until a patch is available to prevent open redirect and reflected XSS exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.