Primary

Context

TIM BPM Suite and TIM FLOW Hibernate Query Language Injection Vulnerability

Vulnerability

A Hibernate Query Language (HQL) injection vulnerability has been identified in TIM BPM Suite/TIM FLOW versions prior to 9.1.2. This vulnerability allows a low-privileged user to inject HQL queries, potentially leading to the extraction of passwords and sensitive data from other users.

Impact

Exploitation of this vulnerability could result in unauthorized access to other users' passwords and sensitive data.

Remediation

The vendor has released a silent fix for this vulnerability. However, as of now, the implemented security measures have not been verified.

Added: Jan 9, 2026, 4:23 PM

Updated: Jan 9, 2026, 5:35 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

2.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

2.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TIM BPM Suite and TIM FLOW Hibernate Query Language Injection Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating