PT-2023-25885 · Unknown · Smartbpm.Net

Alan Chung

Published

2023-07-10

Updated

2023-07-13

CVE-2023-37288

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions SmartBPM.NET (affected versions not specified)

Description The issue concerns a path traversal vulnerability within the file download function of SmartBPM.NET, allowing an unauthenticated remote attacker to access arbitrary system files. Additionally, there is a vulnerability related to the use of a hard-coded authentication key, which can be exploited by an unauthenticated remote attacker to access the system with regular user privileges, enabling them to read application data and execute submission and approval processes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Relative Path Traversal

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-23CWE-22

Related Identifiers

CVE-2023-37288

Affected Products

Smartbpm.Net

PT-2023-25885 · Unknown · Smartbpm.Net

CVE-2023-37288

Weakness Enumeration

Related Identifiers

Affected Products

References · 6