Metrics
Affected Vendors & Products
Wed, 16 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
epss
|
Fri, 11 Jul 2025 14:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
ssvc
|
Fri, 11 Jul 2025 13:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
Fri, 11 Jul 2025 13:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
epss
|
Thu, 10 Jul 2025 21:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 10 Jul 2025 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 — a privilege escalation flaw in the user profile page — to achieve full remote code execution from a low-privileged account. | |
Title | ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE | |
Weaknesses | CWE-434 | |
References |
|
|
Metrics |
cvssV4_0
|

Status: PUBLISHED
Assigner: VulnCheck
Published: 2025-07-10T19:12:37.309Z
Updated: 2025-07-11T13:21:51.637Z
Reserved: 2025-04-15T19:15:22.555Z
Link: CVE-2025-34097

Updated: 2025-07-10T20:26:22.512Z

Status : Awaiting Analysis
Published: 2025-07-10T20:15:25.260
Modified: 2025-07-15T13:14:49.980
Link: CVE-2025-34097

No data.