CVE-2013-10035
ProcessMaker Open Source < 2.5.2 neoclassic Skin PHP Code Execution
Vexday Risk Score
36Atención
Decisión SSVC (CISA)
Attend
PoC disponible → seguir de cerca
CVSS 8.7EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit simPatch referenciado
Ciclo de vida
24 oct 2013Exploit Metasploit disponible
31 jul 2025Publicada en NVD
Recomendación: Planificar corrección próxima — ya existe PoC pública.
A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Productos afectados
ProcessMaker, Inc. · ProcessMaker Open Source¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/processmaker_exec.rbhttps://web.archive.org/web/20150419043936/https://bugs.processmaker.com/view.php?id=13436https://www.exploit-db.com/exploits/29325https://www.fortiguard.com/encyclopedia/ips/37390https://www.vulncheck.com/advisories/processmaker-open-source-neoclassic-skin-php-code-execution