TIM BPM Suite and TIM FLOW Authorization Bypass Vulnerability Allowing Unauthorized Access and Modification of User Data
Vulnerability
Multiple authorization bypass vulnerabilities have been identified in TIM BPM Suite and TIM FLOW versions prior to 9.1.2. These vulnerabilities allow low-privileged users to download password hashes of other users, access their work items, modify restricted content in workflows, change the application's logo, and manipulate other users' profiles. The root cause of these vulnerabilities is incorrect access control, which enables unauthorized users to perform actions or access data that should be restricted.
Impact
Exploitation of these vulnerabilities could lead to unauthorized access to sensitive user data, including password hashes, and allow for unauthorized modifications to user profiles and workflow content.
Remediation
The vendor has released a silent fix for these vulnerabilities, which has been verified by Y-Security.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.