NewType FlowMaster BPM Plus - SQL Injection

Vulnerability

The specific query functionality in NewType FlowMaster BPM Plus does not properly restrict user input, allowing SQL injection. The vulnerability affects versions prior to Service Pack v5.3.1 [1][2]. An attacker with regular (low-privileged) credentials can trigger the flaw through a remote network request.

Exploitation

An authenticated remote attacker needs only regular privileges and network access to the vulnerable query endpoint. No additional user interaction is required. The attacker can craft malicious SQL input in the query parameter, which is then executed against the underlying database without sanitization [2].

Impact

Successful exploitation allows the attacker to read, modify, or delete arbitrary database contents. This can lead to disclosure of sensitive data, corruption of application records, or complete denial of service. The CVSS v3.1 score is 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impact [2].

Mitigation

The vendor (NewType) has released Service Pack v5.3.1 which contains the fix for this vulnerability. Users should update to v5.3.1 or later immediately [2]. No workaround is described in the available references.