CVE-2013-10035
BaseFortify
Publication date: 2025-07-31
Last updated on: 2025-07-31
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| processmaker | processmaker | 2.0.23 |
| processmaker | processmaker | 2.5.1 |
| processmaker | processmaker | 2.5.0 |
| processmaker | processmaker | 2.0.45 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a code injection flaw in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code by sending crafted POST requests to certain endpoints (like appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php). These endpoints do not properly validate user input and directly call PHP functions such as system() with user-supplied parameters, allowing remote code execution. Exploitation requires valid user credentials and affects both Linux and Windows installations.
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user to execute arbitrary PHP code on the server, potentially leading to full remote code execution. This can compromise the server's integrity, confidentiality, and availability, allowing attackers to manipulate data, disrupt services, or gain further access to the system.