【Vulnerability Alert】 Critical Security Vulnerabilities Found in NewType Infortech FlowMaster BPM Plus
publish date :
2024-10-22
update date :
2024-10-22
Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2024101809104848 | Publication Time | 2024/10/18 09:50 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2024/10/16 09:50 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】 Critical Security Vulnerabilities Found in NewType Infortech FlowMaster BPM Plus |
|||
| [Content] Forwarded from TWCERTCC-200-202410-00000005 TWCERT/CC issued a report on October 15, 2024, regarding critical security vulnerabilities in NewType Infortech FlowMaster BPM Plus. 【NewType Infortech FlowMaster BPM Plus - Privilege Escalation】(TVN-202410007, CVE-2024-9970, CVSS: 8.8) NewType Infortech FlowMaster BPM Plus contains a privilege escalation vulnerability where a remote attacker with normal user access can escalate privileges to administrator by tampering with specific cookies. 【NewType Infortech FlowMaster BPM Plus - SQL Injection】(TVN-202410008, CVE-2024-9971, CVSS: 8.8) NewType Infortech FlowMaster BPM Plus contains a SQL injection vulnerability where a remote attacker with normal user access can inject SQL commands into specific query functions, allowing them to read, modify, or delete database content. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] FlowMaster BPM Plus Service Pack versions prior to v5.3.1 |
|||
| [Recommended Actions] Update Service Pack to version v5.3.1 or later |
|||
| [Reference] 1.NewType Infortech FlowMaster BPM Plus - Privilege Escalation: https://www.twcert.org.tw/tw/cp-132-8136-4d5b4-1.html 2.NewType Infortech FlowMaster BPM Plus - SQL Injection: https://www.twcert.org.tw/tw/cp-132-8138-d2bb7-1.html |
|||
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center
