CVE-2022-39036

FLOWRING Agentflow BPM - Arbitrary File Upload

CVSS 9.8 CRITICALEPSS 1.2%CWE-434

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 1.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

10 Nov 2022Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauthenticated remote attacker can exploit this vulnerability to upload arbitrary file and execute arbitrary code to manipulate system or disrupt service.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

FLOWRING · Agentflow BPM

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.flowring.com/2022/09/19/%e7%94%a2%e5%93%81%e6%9b%b4%e6%96%b0agentflow-v4-0%e3%80%81v3-7%e5%a4%be%e6%aa%94%e5%8a%9f%e8%83%bd%e8%b3%87%e5%ae%89%e4%bf%ae%e6%ad%a3/https://www.twcert.org.tw/tw/cp-132-6682-21207-1.html