Home

Description

EN DE

A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

In Shenzhen Dashi Tongzhou Information Technology AgileBPM bis 2.5.0 wurde eine kritische Schwachstelle entdeckt. Betroffen ist die Funktion executeScript der Datei /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java der Komponente Groovy Script Handler. Durch Beeinflussen des Arguments script mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

PUBLISHED Reserved 2025-06-04 | Published 2025-06-05 | Updated 2025-06-05 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

Problem types

Deserialization

Improper Input Validation

Product status

2.0
affected

2.1
affected

2.2
affected

2.3
affected

2.4
affected

2.5.0
affected

Timeline

2025-06-04:Advisory disclosed
2025-06-04:VulDB entry created
2025-06-04:VulDB entry last update

Credits

VulDB Gitee Analyzer tool

References

vuldb.com/?id.311167 (VDB-311167 | Shenzhen Dashi Tongzhou Information Technology AgileBPM Groovy Script SysScriptController.java executeScript deserialization) vdb-entry technical-description

vuldb.com/?ctiid.311167 (VDB-311167 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.585108 (Submit #585108 | https://www.tongzhouyun.com/ https://gitee.com/agile-bpm/agile-bpm-basic v2.8 (the latest version code submitted as of 20250526) Code Injection) third-party-advisory

gitee.com/agile-bpm/agile-bpm-basic/issues/ICAPT5 exploit issue-tracking

cve.org (CVE-2025-5680)

nvd.nist.gov (CVE-2025-5680)

Download JSON