CVE-2025-34097
BaseFortify
Publication date: 2025-07-10
Last updated on: 2025-07-15
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| processmaker | processmaker | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unrestricted file upload issue in ProcessMaker versions before 3.5.4. It allows an attacker with administrative privileges to upload a malicious plugin archive (.tar file) containing arbitrary PHP code. When the plugin is installed, the install() method executes the attacker's PHP code on the server with the web server user's privileges. This can be combined with another vulnerability (CVE-2022-38577) to achieve full remote code execution from a low-privileged account.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution on the server, allowing an attacker to run arbitrary PHP code with the web server's privileges. This can compromise the server, potentially leading to data theft, service disruption, or further attacks within the network, especially if combined with other vulnerabilities to escalate privileges.