CVE-2020-26173

CVE-2020-26173 concerns Tangro Business Workflow (versions before 1.18.1) with an incorrect access control implementation that lets an attacker download documents (PDF) by supplying a valid document ID and token. No further authentication is required, enabling information disclosure of documents ...

CVE-2020-26173

An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents PDF by providing a valid document ID and token. No further authentication is required...

CVE-2020-26174

CVE-2020-26174 affects tangro Business Workflow prior to 1.18.1. The issue stems from a client-side only whitelist of allowed filetypes for uploads; the server-side enforcement is missing, allowing an attacker to upload any file as an attachment to a work item. No exploitation details are provide...

CVE-2020-26174

tangro Business Workflow before 1.18.1 requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list. However, this restriction is enforced in the browser client-side and can be circumvented. This allows an attacker to upload any file as an...

CVE-2020-26175

CVE-2020-26175 affects Tangro Business Workflow prior to 1.18.1. An attacker can manipulate the value of the PERSON parameter in requests to the /api/profile endpoint to change the profile information of other users. The root cause is an authorization/validation flaw that allows parameter tamperi...

CVE-2020-26175

In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users...

CVE-2020-26176

An issue was discovered in tangro Business Workflow before 1.18.1. No or broken access control checks exist on the /api/document//attachments API endpoint. Knowing a document ID, an attacker can list all the attachments of a workitem, including their respective IDs. This allows the attacker to...

CVE-2020-26176

The vulnerability CVE-2020-26176 affects tangro Business Workflow prior to 1.18.1. It arises from missing/broken access control on the /api/document//attachments endpoint, allowing an attacker who knows a document ID to enumerate all attachments for that work item and obtain their IDs. Impact as ...

CVE-2020-26177

In tangro Business Workflow before 1.18.1, a user's profile contains some items that are greyed out and thus are not intended to be edited by regular users. However, this restriction is only applied client-side. Manipulating any of the greyed-out values in requests to /api/profile is not prohibit...

CVE-2020-26177

CVE-2020-26177 affects Tangro Business Workflow prior to 1.18.1. The issue is an access control flaw: certain profile items are rendered as greyed out on the client, but the server does not enforce this restriction—manipulating greyed‑out values in requests to /api/profile is not prohibited serve...

CVE-2020-26178

The CVE-2020-26178 affects Tangro Business Workflow before 1.18.1, where knowledge of an attachment ID allows downloading work-item attachments without authentication due to an authorization issue. This is documented across multiple sources (CNVD-2020-74066, NVD/NVD entry). Remediation: upgrade t...

CVE-2020-26178

In tangro Business Workflow before 1.18.1, knowing an attachment ID, it is possible to download workitem attachments without being authenticated...

Security Bulletin: Information disclosure and Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-4794

Summary The optional component Process Federation Server that is shipped with IBM Business Process Manager and IBM Business Automation Workflow is vulnerable to a information disclosure and denial of service attack. Vulnerability Details CVEID: CVE-2020-4794 DESCRIPTION: IBM Process Federation...

Tangro Business Workflow 授权问题漏洞

Tangro Business Workflow is a German Tangro company's internal control of the contents of SAP documents and the approval process for the visual drawing of the software. A vulnerability exists in Tangro Business Workflow prior to version 1.18.1 due to an authorization issue, which stems from the...

IBM多款产品授权问题漏洞

IBM Business Process Manager BPM and so on are products of IBM Corporation in the U.S. IBM Business Process Manager is a set of integrated business process management platform.IBM Business Automation Workflow is a set of workflow automation solutions. IBM Process Federation Server Component is an...

Tangro Business Workflow Security Vulnerability

Tangro Business Workflow is a software from the German company Tangro that allows you to visualize the internal control and approval processes of SAP document content. A security vulnerability exists in tangro Business Workflow before 1.18.1, which can be exploited to manipulate documents attache...

Tangro Business Workflow Security Vulnerability

Tangro Business Workflow is a software from Tangro Germany that visualizes the internal control and approval processes of SAP document content. A security vulnerability exists in tangro Business Workflow before 1.18.1, which originates from the generation of the same JWT token at every login, whi...

Tangro Business Workflow 授权问题漏洞

Tangro Business Workflow is a German Tangro company's internal control of the contents of SAP documents and the approval process for the visual drawing of the software. A security vulnerability exists in Tangro Business Workflow versions prior to 1.18.1, which can be exploited by an attacker to...

Tangro Business Workflow 授权问题漏洞

Tangro Business Workflow is a German Tangro company's internal control of the contents of SAP documents and the approval process for the visual drawing of the software. A vulnerability exists in Tangro Business Workflow prior to version 1.18.1 due to an authorization issue, which stems from a...

Tangro Business Workflow 访问控制错误漏洞

Tangro Business Workflow is a German Tangro company's internal control of the contents of SAP documents and the approval process for the visual drawing of the software. An access control error vulnerability exists in Tangro Business Workflow versions prior to 1.18.1, which stems from the fact tha...