TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center-Status Internet Co. Ltd PowerBPM

Status Internet Co. Ltd PowerBPM - Broken Access Control

TVN ID	TVN-202305001
CVE ID	CVE-2023-25780
CVSS	5.7 (Medium) CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products	Status Internet Co.,Ltd. PowerBPM v2.0
Description	It is identified a vulnerability of insufficient authentication in an important specific function of Status PowerBPM. A LAN attacker with normal user privilege can exploit this vulnerability to modify substitute agent to arbitrary users, resulting in serious consequence.
Solution	Contact Status Internet Co. Ltd
Credit	E4
Public Date	2023-06-16

Status Internet Co. Ltd PowerBPM - Broken Access Control