Vulnerability Note VU#112412
Bizagi BPM Suite contains multiple vulnerabilities
Bizagi BPM Suite contains a reflected cross-site scripting vulnerability and a SQL injection vulnerability.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2947
According to Open-Sec consultant Mauricio Urizar, all versions of Bizagi BPM Suite contain a reflected cross-site scripting (XSS) vulnerability. The application fails to sanitize the txtUsername POST parameter to the Login.aspx page.
Bizagi has stated that the cross-site scripting vulnerability (CVE-2014-2947) was fixed in version 10.3 and the SQL injection vulnerability (CVE-2014-2948) was fixed in version 10.5. Users are encouraged to upgrade to version 10.5. If you are unable to upgrade, please consider the following workaround:
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Bizagi||Affected||11 Apr 2014||22 May 2014|
CVSS Metrics (Learn More)
Thanks to Mauricio Urizar for reporting this vulnerability.
This document was written by Todd Lewellen.
- CVE IDs: CVE-2014-2947 CVE-2014-2948
- Date Public: 22 May 2014
- Date First Published: 22 May 2014
- Date Last Updated: 11 Aug 2014
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.