Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE
Vulnerability Description
An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account.
CVSS Information
N/A
Vulnerability Type
危险类型文件的不加限制上传
Vulnerability Title
ProcessMaker 代码问题漏洞
Vulnerability Description
ProcessMaker是美国ProcessMaker公司的一个Php编写的用于商业进程管理(BPM)和工作流管理的建站系统。 ProcessMaker 3.5.4之前版本存在安全漏洞,该漏洞源于插件上传处理不当,可能导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A