CHT Security Red Team Discovered Vulnerability in Well-Known BPM System
Summary
Vulnerability List
[CVE-2022-32456] – SQL Injection
[CVE-2022-32457] – Server-Side Request Forgery
[CVE-2022-32458] – XXE Injection
Details
1. SQL Injection
Description
There are several parameters that were affected by SQL Injection.
Impact
This vulnerability allows attackers to perform unwanted SQL queries and access arbitrary file in the database.
Known Affected Software
- Version before 5.8.6.1
Credits
- Xin-Yue, Song (CHT Security)
2. Server-Side Request Forgery
Description
There are several parameters that were affected by Server-Side Request Forgery.
Impact
This vulnerability allows attackers to launch inquiries into network architecture or system files of the server via forged inquests.
Known Affected Software
- Version before 5.8.6.1
Credits
- Xin-Yue, Song (CHT Security)
3. XXE Injection
Description
There are several parameters that were affected by XXE Injection.
Impact
This vulnerability allows attackers to access arbitrary file in the system.
Known Affected Software
- Version before 5.8.6.1
Credits
Xin-Yue, Song (CHT Security)