Bizagi BPM Suite contains a reflected cross-site scripting vulnerability and a SQL injection vulnerability.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2014-2947
According to Open-Sec consultant Mauricio Urizar, all versions of Bizagi BPM Suite contain a reflected cross-site scripting (XSS) vulnerability. The application fails to sanitize the txtUsername POST parameter to the Login.aspx page.
Bizagi has stated that the cross-site scripting vulnerability (CVE-2014-2947) was fixed in version 10.3 and the SQL injection vulnerability (CVE-2014-2948) was fixed in version 10.5. Users are encouraged to upgrade to version 10.5. If you are unable to upgrade, please consider the following workaround:
Thanks to Mauricio Urizar for reporting this vulnerability.
This document was written by Todd Lewellen.