CVE-2013-10035
ProcessMaker Open Source < 2.5.2 neoclassic Skin PHP Code Execution
Vexday Risk Score
36Atenção
Decisão SSVC (CISA)
Attend
PoC disponível → acompanhar de perto
CVSS 8.7EPSS 1.4%KEV nãoPoC —Nuclei —Metasploit simPatch referenciado
Ciclo de vida
24 out 2013Exploit Metasploit disponível
31 jul 2025Publicada no NVD
Recomendação: Planejar correção próxima — já existe PoC pública.
A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Produtos afetados
ProcessMaker, Inc. · ProcessMaker Open SourceQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/processmaker_exec.rbhttps://web.archive.org/web/20150419043936/https://bugs.processmaker.com/view.php?id=13436https://www.exploit-db.com/exploits/29325https://www.fortiguard.com/encyclopedia/ips/37390https://www.vulncheck.com/advisories/processmaker-open-source-neoclassic-skin-php-code-execution