We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2013-10035

ProcessMaker Open Source < 2.5.2 neoclassic Skin PHP Code Execution



Description

A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials.

Reserved 2025-07-30 | Published 2025-07-31 | Updated 2025-07-31 | Assigner VulnCheck


HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

2.x before 2.5.2
affected

Credits

bcoles finder

References

raw.githubusercontent.com/...multi/http/processmaker_exec.rb exploit

web.archive.org/...//bugs.processmaker.com/view.php?id=13436 issue-tracking patch

www.exploit-db.com/exploits/29325 exploit

www.fortiguard.com/encyclopedia/ips/37390 third-party-advisory

www.vulncheck.com/...urce-neoclassic-skin-php-code-execution third-party-advisory

cve.org (CVE-2013-10035)

nvd.nist.gov (CVE-2013-10035)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2013-10035

Support options

Helpdesk Chat, Email, Knowledgebase