NewType FlowMaster BPM Plus - Privilege Escalation
Description
Remote authenticated attackers can escalate privileges to administrator by tampering with a specific cookie in FlowMaster BPM Plus before Service Pack v5.3.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote authenticated attackers can escalate privileges to administrator by tampering with a specific cookie in FlowMaster BPM Plus before Service Pack v5.3.1.
Vulnerability
A privilege escalation vulnerability exists in the FlowMaster BPM Plus system from NewType. Remote attackers with regular privileges can elevate their privileges to administrator by tampering with a specific cookie. The affected versions are those before Service Pack v5.3.1 [1][2].
Exploitation
Exploitation requires an attacker to have regular user privileges on the system and network access. By tampering with a specific cookie value, the attacker can escalate their privileges to administrator [1][2].
Impact
Successful exploitation allows the attacker to gain full administrative control over the FlowMaster BPM Plus system, leading to high confidentiality, integrity, and availability impact [2].
Mitigation
The issue is fixed in Service Pack v5.3.1 or later. Users should update to this version [2]. No workarounds are mentioned in the references.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- www.twcert.org.tw/en/cp-139-8137-ea537-2.htmlmitrethird-party-advisory
- www.twcert.org.tw/tw/cp-132-8136-4d5b4-1.htmlmitrethird-party-advisory
News mentions
0No linked articles in our index yet.