SQL Injection Vulnerability in ProcessMaker by ProcessMaker Inc.
CVE-2020-13526

6.4MEDIUM

Key Information:

Vendor

Processmaker

Status
Processmaker
Vendor
CVE Published:
10 December 2020

What is CVE-2020-13526?

An SQL injection vulnerability has been identified in ProcessMaker 3.4.11, specifically in the handling of sort parameters within the reportTables_Ajax and clientSetupAjax pages. This vulnerability allows an attacker who has authenticated access to send specially crafted HTTP requests that can manipulate the database by injecting malicious SQL code. This presents a risk for data exposure and integrity breaches, highlighting the importance of securing web applications against such vulnerabilities.

Affected Version(s)

ProcessMaker ProcessMaker 3.4.11

References

https://talosintelligence.com/vulnerability_reports/TALOS...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

CVSS V3.0

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.