CVE Details
Basic Information
| Title | Shenzhen Dashi Tongzhou Information Technology AgileBPM Groovy Script SysScriptController.java executeScript deserialization |
|---|---|
| Type | cve |
| Published | 2025-06-05T19:31:09.376Z |
| Last Seen |
Product Information
| Vendor | Shenzhen Dashi Tongzhou Information Technology |
|---|---|
| Product | AgileBPM |
| Version | 2.0 |
CVSS Information
| Base Score | 5.3 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
| Confidentiality Impact | |
| Integrity Impact | |
| Availability Impact |
AI Analysis
| AI Description | A critical vulnerability in AgileBPM up to version 2.5.0 allows remote attackers to exploit the executeScript function, leading to deserialization. The exploit is publicly available. |
|---|---|
| AI Severity | Medium |
| Vendor | Shenzhen Dashi Tongzhou Information Technology |
| Product | AgileBPM |
| Affected Version | 2.0, 2.1, 2.2, 2.3, 2.4, 2.5.0 |
Affected Products
- Shenzhen Dashi Tongzhou Information Technology AgileBPM 2.0
- Shenzhen Dashi Tongzhou Information Technology AgileBPM 2.1
- Shenzhen Dashi Tongzhou Information Technology AgileBPM 2.2
- Shenzhen Dashi Tongzhou Information Technology AgileBPM 2.3
- Shenzhen Dashi Tongzhou Information Technology AgileBPM 2.4
- Shenzhen Dashi Tongzhou Information Technology AgileBPM 2.5.0
Additional Information
| CVE List | |
|---|---|
| CWE List | CWE-502, CWE-20 |
| Bulletin Family |
References
Description
A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script Handler. The manipulation of the argument script leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.