CVE-2022-36120

Name of the Vulnerable Software and Affected Versions Blue Prism Enterprise versions 6.0 through 7.01

Description The issue allows an authenticated user to reverse engineer the software and circumvent access controls for the getChartData administrative function in a misconfigured environment that exposes the Blue Prism Application server. Using a low/no privilege Blue Prism user account, the attacker can alter the server's settings by abusing the getChartData method, allowing the Blue Prism server to execute any MSSQL stored procedure by name.

Recommendations For Blue Prism Enterprise versions 6.0 through 7.01, consider restricting access to the getChartData administrative function to prevent abuse and limit the execution of MSSQL stored procedures. As a temporary workaround, consider disabling the getChartData method until a proper configuration or patch is available to prevent the circumvention of access controls.