Source: Ministry of education information & communication security contingency platform
Publication Number | TACERT-ANA-2024101809104848 | Publication Time | 2024/10/18 09:50 |
Incident Type | ANA-Vulnerability Alert | Discovery Time | 2024/10/16 09:50 |
Impact Level | Medium | ||
[Subject] 【Vulnerability Alert】 Critical Security Vulnerabilities Found in NewType Infortech FlowMaster BPM Plus |
|||
[Content] Forwarded from TWCERTCC-200-202410-00000005 TWCERT/CC issued a report on October 15, 2024, regarding critical security vulnerabilities in NewType Infortech FlowMaster BPM Plus. 【NewType Infortech FlowMaster BPM Plus - Privilege Escalation】(TVN-202410007, CVE-2024-9970, CVSS: 8.8) NewType Infortech FlowMaster BPM Plus contains a privilege escalation vulnerability where a remote attacker with normal user access can escalate privileges to administrator by tampering with specific cookies. 【NewType Infortech FlowMaster BPM Plus - SQL Injection】(TVN-202410008, CVE-2024-9971, CVSS: 8.8) NewType Infortech FlowMaster BPM Plus contains a SQL injection vulnerability where a remote attacker with normal user access can inject SQL commands into specific query functions, allowing them to read, modify, or delete database content. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
[Affected Platform] FlowMaster BPM Plus Service Pack versions prior to v5.3.1 |
|||
[Recommended Actions] Update Service Pack to version v5.3.1 or later |
|||
[Reference] 1.NewType Infortech FlowMaster BPM Plus - Privilege Escalation: https://www.twcert.org.tw/tw/cp-132-8136-4d5b4-1.html 2.NewType Infortech FlowMaster BPM Plus - SQL Injection: https://www.twcert.org.tw/tw/cp-132-8138-d2bb7-1.html |