CHT Security Red Team Discovered a Vulnerability in a Well-Known BPM System.

Summary

Due to insufficient validation or sanitization of user input in a specific query function, authenticated users are able to perform SQL injection, potentially gaining the ability to read, modify, or delete data from the backend database.

Version 

Version = v6.6.19

Remediation

1.User: Contact the vendor as soon as possible to discuss remediation measures.

2.System Developer: Avoid directly concatenating user input into SQL queries. Input validation and the use of parameterized queries or prepared statements should be implemented to prevent SQL injection attacks.

Credits

Sam Huang (CHT Security)