PT-2025-31533 · Undefined · Undefined

A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage Ajax.php, and cases SchedulerGetPlugins.php, by supplyi...

ProcessMaker Open Source 安全漏洞

ProcessMaker Open Source is a workflow management software from US-based ProcessMaker, Inc. A security vulnerability exists in ProcessMaker Open Source versions 2.0.23 through 2.5.1 that originates from multiple endpoints that do not validate user input and could lead to remote code execution...

CVE-2025-34097

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

CVE-2025-34097

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

CVE-2025-34097 ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

CVE-2025-34097

CVE-2025-34097 : Unrestricted file upload in ProcessMaker

CVE-2025-34097 ProcessMaker < 3.5.4 Authenticated Plugin Upload RCE

An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin’s install...

PT-2025-29139 · Unknown · Processmaker

Name of the Vulnerable Software and Affected Versions: ProcessMaker versions prior to 3.5.4 Description: An unrestricted file upload vulnerability exists due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file...

ProcessMaker 代码问题漏洞

ProcessMaker is a Php-written site builder for business process management BPM and workflow management from ProcessMaker Inc. in the United States. A security vulnerability exists in ProcessMaker versions prior to 3.5.4 that stems from improper handling of plugin uploads, which could lead to remo...

CVE-2024-25506

Cross Site Scripting vulnerability in Process Maker, Inc ProcessMaker before 4.0 allows a remote attacker to run arbitrary code via control of the pmsyssys cookie...

CVE-2020-13526

SQL injection vulnerability exists in the handling of sort parameters in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. The reportTablesAjax and clientSetupAjax pages are vulnerable to SQL injection in the sort parameter.An attacker can make an authenticated HTT...

CVE-2020-13525

The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTablesAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability...

ProcessMaker 安全漏洞

ProcessMaker is a Php-written site builder for business process management BPM and workflow management from ProcessMaker, Inc. in the United States. A security vulnerability exists in ProcessMaker pm4core-docker version 4.1.21-RC7, which stems from the inclusion of a cross-site scripting...

ProcessMaker 安全漏洞

ProcessMaker is a Php-written website builder for business process management BPM and workflow management from ProcessMaker Inc. in the United States. A security vulnerability exists in ProcessMaker pm4core-docker version 4.1.21-RC7, which originates from an arbitrary file upload vulnerability in...

CVE-2024-25506

Cross Site Scripting vulnerability in Process Maker, Inc ProcessMaker before 4.0 allows a remote attacker to run arbitrary code via control of the pmsyssys cookie...

CVE-2024-25506

Cross Site Scripting vulnerability in Process Maker, Inc ProcessMaker before 4.0 allows a remote attacker to run arbitrary code via control of the pmsyssys cookie...

PT-2024-20968 · Unknown · Processmaker

Name of the Vulnerable Software and Affected Versions: ProcessMaker versions prior to 4.0 Description: The issue allows a remote attacker to run arbitrary code via control of the pm sys sys cookie. This can lead to a Cross Site Scripting attack. Recommendations: For versions prior to 4.0, update ...

ProcessMaker 安全漏洞

ProcessMaker is a Php-written site builder for business process management BPM and workflow management from ProcessMaker, Inc. in the United States. A security vulnerability exists in ProcessMaker versions prior to 4.0 that stems from the presence of a cross-site scripting vulnerability that coul...

BIT-PROCESSMAKER-2020-13525

The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTablesAjax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability...

BIT-PROCESSMAKER-2020-13526

SQL injection vulnerability exists in the handling of sort parameters in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. The reportTablesAjax and clientSetupAjax pages are vulnerable to SQL injection in the sort parameter.An attacker can make an authenticated HTT...