Code injection

2022-08-2600:15:00

PRIOn knowledge base

www.prio-n.com

blue prism enterprise

access controls

code injection

application server

authenticated users

misconfigured environment

nvd

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

28.9%

JSON

An issue was discovered in Blue Prism Enterprise 6.0 through 7.01. In a misconfigured environment that exposes the Blue Prism Application server, it is possible for an authenticated user to reverse engineer the Blue Prism software and circumvent access controls for the UpdateOfflineHelpData administrative function. Abusing this function will allow any Blue Prism user to change the offline help URL to one of their choice, opening the possibility of spoofing the help page or executing a local file.

CPENameOperatorVersion
blue_prism_enterprisege6.0
blue_prism_enterpriselt7.1

CPE	Name	Operator	Version
	blue_prism_enterprise	ge	6.0
	blue_prism_enterprise	lt	7.1

References

blueprism.com

community.blueprism.com/discussion/security-vulnerability-notification-ssc-blue-prism-enterprise

portal.blueprism.com/security-vulnerabilities-august-2022