【Vulnerability Alert】 Critical Security Vulnerabilities Found in NewType Infortech FlowMaster BPM Plus

publish date : 2024-10-22 update date : 2024-10-22

Source: Ministry of education information & communication security contingency platform

Publication Number TACERT-ANA-2024101809104848 Publication Time 2024/10/18 09:50
Incident Type ANA-Vulnerability Alert Discovery Time 2024/10/16 09:50
Impact Level Medium  
[Subject]
【Vulnerability Alert】 Critical Security Vulnerabilities Found in NewType Infortech FlowMaster BPM Plus
[Content]
Forwarded from TWCERTCC-200-202410-00000005

TWCERT/CC issued a report on October 15, 2024, regarding critical security vulnerabilities in NewType Infortech FlowMaster BPM Plus. 【NewType Infortech FlowMaster BPM Plus - Privilege Escalation】(TVN-202410007, CVE-2024-9970, CVSS: 8.8) NewType Infortech FlowMaster BPM Plus contains a privilege escalation vulnerability where a remote attacker with normal user access can escalate privileges to administrator by tampering with specific cookies. 【NewType Infortech FlowMaster BPM Plus - SQL Injection】(TVN-202410008, CVE-2024-9971, CVSS: 8.8) NewType Infortech FlowMaster BPM Plus contains a SQL injection vulnerability where a remote attacker with normal user access can inject SQL commands into specific query functions, allowing them to read, modify, or delete database content.

Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform]
FlowMaster BPM Plus Service Pack versions prior to v5.3.1
[Recommended Actions]
Update Service Pack to version v5.3.1 or later
[Reference]
1.NewType Infortech FlowMaster BPM Plus - Privilege Escalation: https://www.twcert.org.tw/tw/cp-132-8136-4d5b4-1.html
2.NewType Infortech FlowMaster BPM Plus - SQL Injection: https://www.twcert.org.tw/tw/cp-132-8138-d2bb7-1.html
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center