CHT Security Red Team Discovered a Vulnerability in a Well-Known BPM System.

Summary 

CVE-2925-11949:CHT Security discovered a high-risk vulnerability in a domestic BPM system, where the system API fails to properly verify user permissions. As a result, an unauthorized attacker can exploit the API to access sensitive information such as system account credentials.   

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor 

Version  

Version = v6.6.19 

Remediation 

1.User: Contact the vendor as soon as possible to discuss remediation suggestions. 

2.System Developer: The API should properly validate user permissions. 

Credits 

Sam Huang (CHT Security)