CHT Security Red Team Discovered Vulnerability in Well-Known BPM System

Summary

Vulnerability List

[CVE-2022-32456] – SQL Injection

[CVE-2022-32457] – Server-Side Request Forgery

[CVE-2022-32458] – XXE Injection


Details

1. SQL Injection

Description

There are several parameters that were affected by SQL Injection.

Impact

This vulnerability allows attackers to perform unwanted SQL queries and access arbitrary file in the database. 

Known Affected Software

  • Version before 5.8.6.1

Credits

  • Xin-Yue, Song (CHT Security)


2. Server-Side Request Forgery

Description

There are several parameters that were affected by Server-Side Request Forgery.

Impact

This vulnerability allows attackers to launch inquiries into network architecture or system files of the server via forged inquests.

Known Affected Software

  • Version before 5.8.6.1

Credits

  • Xin-Yue, Song (CHT Security)

3. XXE Injection

Description

There are several parameters that were affected by XXE Injection.

Impact

This vulnerability allows attackers to access arbitrary file in the system.

Known Affected Software

  • Version before 5.8.6.1

Credits

Xin-Yue, Song (CHT Security)