Mauricio Urizar

**Name of the Vulnerable Software and Affected Versions** Bizagi BPM Suite versions prior to 10.3 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `txtUsername` parameter in the "Login.aspx" page. **Recommendations** For versions prior to 10.3, update to version 10.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the Login.aspx page or validating and sanitizing the `txtUsername` parameter to prevent malicious input.

**Name of the Vulnerable Software and Affected Versions** Bizagi BPM Suite versions prior to 10.4 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via a crafted SOAP request to the workflowenginesoa.asmx endpoint. **Recommendations** For versions prior to 10.4, update to version 10.4 or later to resolve the issue.