{"vuid":"VU#112412","idnumber":"112412","name":"Bizagi BPM Suite contains multiple vulnerabilities","keywords":["Bizagi","XSS","SQLi","SQL Injection","CWE-79","CWE-89"],"overview":"Bizagi BPM Suite contains a reflected cross-site scripting vulnerability and a SQL injection vulnerability.","clean_desc":"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2947\nAccording to Open-Sec consultant Mauricio Urizar, all versions of Bizagi BPM Suite contain a reflected cross-site scripting (XSS) vulnerability. The application fails to sanitize the txtUsername POST parameter to the Login.aspx page. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2014-2948\nFurthermore, Urizar reports that all versions of Bizagi BPM Suite are vulnerable to SQL injection attacks through the workflowenginesoa.asmx web service. By sending specially crafted SOAP requests to the web service, a remote authenticated attacker can execute arbitrary SQL statements. The CVSS score reflects CVE-2014-2948.","impact":"By exploiting the reflected XSS vulnerability, a remote unauthenticated attacker may be able to execute arbitrary javascript in the context of the victim's browser. By exploiting the SQL injection vulnerability, a remote authenticated attacker may be able to read, modify, or delete data from the database.","resolution":"Bizagi has stated that the cross-site scripting vulnerability (CVE-2014-2947) was fixed in version 10.3 and the SQL injection vulnerability (CVE-2014-2948) was fixed in version 10.5. Users are encouraged to upgrade to version 10.5. If you are unable to upgrade, please consider the following workaround:","workarounds":"Restrict Access As a general good security practice, only allow connections from trusted hosts and networks.","sysaffected":"","thanks":"Thanks to Mauricio Urizar for reporting this vulnerability.","author":"This document was written by Todd Lewellen.","public":["http://www.bizagi.com/products/bizagi-bpm-suite/overview-bpm-suite","http://help.bizagi.com/bpmsuite/en/index.html?setup_security.htm"],"cveids":["CVE-2014-2947","CVE-2014-2948 "],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-03-19T09:16:54Z","publicdate":"2014-05-22T00:00:00Z","datefirstpublished":"2014-05-22T17:19:07Z","dateupdated":"2014-08-11T18:47:30Z","revision":19,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"C","cvss_integrityimpact":"C","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"L","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"8.5","cvss_basevector":"AV:N/AC:M/Au:S/C:C/I:C/A:C","cvss_temporalscore":"7.3","cvss_environmentalscore":"1.8862980424","cvss_environmentalvector":"CDP:L/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}