Code injection

2022-08-2600:15:00

PRIOn knowledge base

www.prio-n.com

code injection

blue prism

access controls

mssql stored procedure

vulnerability

8 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

65.8%

JSON

An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circumvent access controls for the getChartData administrative function. Using a low/no privilege Blue Prism user account, the attacker can alter the server’s settings by abusing the getChartData method, allowing the Blue Prism server to execute any MSSQL stored procedure by name.

CPENameOperatorVersion
blue_prism_enterprisege6.0
blue_prism_enterpriselt7.1

CPE	Name	Operator	Version
	blue_prism_enterprise	ge	6.0
	blue_prism_enterprise	lt	7.1

References

blueprism.com

community.blueprism.com/discussion/security-vulnerability-notification-ssc-blue-prism-enterprise

portal.blueprism.com/security-vulnerabilities-august-2022