CVE-2016-9048

Name of the Vulnerable Software and Affected Versions ProcessMaker Enterprise Core version 3.0.1.7-community

Description The issue allows for SQL Injection attacks through specially crafted web requests. An attacker can exploit this by sending a web request with parameters containing SQL injection attacks, potentially leading to the exfiltration of the database, user credentials, and in certain setups, access to the underlying operating system.

Recommendations For ProcessMaker Enterprise Core version 3.0.1.7-community, consider restricting access to the web interface to minimize the risk of exploitation until a fix is available. Avoid using user-inputted parameters in SQL queries to prevent SQL injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.