CVE-2023-25780 MEDIUM

CVE-2023-25780: Status Internet Co.,Ltd. PowerBPM - Broken Access Control

Vendor Status Internet Co.,Ltd.
Product PowerBPM
Weakness CWE-306 · Missing auth
Published June 2, 2023
Last update January 8, 2025

CVSS base score

5.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

It is identified a vulnerability of insufficient authentication in an important specific function of Status PowerBPM. A LAN attacker with normal user privilege can exploit this vulnerability to modify substitute agent to arbitrary users, resulting in serious consequence.

Key dates

02Disclosure timeline

June 2, 2023 CVE published
January 8, 2025 Record updated