-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-051 Product: WorkflowGen Manufacturer: Advantys Solutions Ltd Affected Version(s): 9.0.7 - 9.2.9 Tested Version(s): 9.0.7 Vulnerability Type: Improper Ownership Management (CWE-282) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2025-08-11 Public Disclosure: 2025-09-29 CVE Reference: Not yet assigned Author of Advisory: Dennis Kurz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: WorkflowGen is an application to automate processes. The manufacturer describes the product as follows (see [1]): "WorkflowGen offers a low-code/no-code platform to automate complex, human- centric processes enhanced by AI agents, providing high configurability." Due to missing access control on multiple endpoints, the application allows users to access information from process instances of other users. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The following functions do not check the users' access rights, allowing attackers to access information of other users: - Data function: used to display information about the process instance - Graphical tracking function: displays a graphical representation of the process instance - Process forms: used to fill out the fields of a form ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1) Data function This GET request can be used to access other process instances. The placeholder needs to be replaced with a valid ID. POST /wfgen/show.aspx HTTP/1.1 Host: [...] QUERY=PROCESS_INSTANCE_DATA&ID_PROCESS_INST=&FILTER_PROCESSID=-1&ID_USER_DELEGATOR=-1 2) Graphical tracking function This GET request can be used to access other process instances. The placeholder needs to be replaced with a valid ID and the placeholder with any valid process ID. GET /wfgen/show.aspx?QUERY=PROCESS_WORKFLOW_GRAPHICAL_REQUEST&ID_PROCESS_INST=&ID_PROCESS=&ID_ACTIVITY=1&FILTER_PROCESSID=-1&INLINE=N&ID_USER_DELEGATOR=-1 HTTP/1.1 Host: [...] 3) Process forms When starting a new process instance, the application checks the users' access rights and creates a new folder for the instance. The name of this folder is a UUID. After creating the folder, the instance is initiated using a separate request that contains the relative path to the instance folder. The initiation request and further requests to modify or fill out the form do not check the access rights. This means that an attacker who knows the UUID can access and modify process instances from other users. Since guessing the UUID is not possible, the UUID would have to be leaked. POST /wfgen/wfapps/webforms//Formular.aspx HTTP/1.1 Host: [...] WFGEN_INSTANCE_PATH=&WFGEN_REPLY_TO=&WFGEN_STORAGE_PATH= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vendor has released version 9.2.10, which addresses this vulnerability. It is advised to upgrade to version 9.2.10 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-07-21: Vulnerability discovered 2025-08-11: Vulnerability reported to manufacturer 2025-08-26: Enquiry about the status of the vulnerability 2025-09-04: Solution provided with release of version 9.2.10 2025-09-05: Enquiry about the status of the vulnerability 2025-09-17: Confirmation from a customer that an update was provided 2025-09-22: Enquiry for confirmation that the vulnerabilities were addressed by the update 2025-09-29: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for WorkflowGen https://www.workflowgen.com [2] SySS Security Advisory SYSS-2025-051 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-051.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dennis Kurz of SySS GmbH. E-Mail: dennis.kurz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Dennis_Kurz.asc Key ID: 0x75CC91B4103E513B Key Fingerprint: 0B17 953A 516B B560 C4F7 8EB1 75CC 91B4 103E 513B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECxeVOlFrtWDE946xdcyRtBA+UTsFAmjaRXwACgkQdcyRtBA+ UTsksQ//SQknODvGn2HFnVwI23CpOzcrVZyRYaqn0u4vkU6Dxcyvc6Zf5tIce9AO kxXDc5bDgADFpR8scNi0xe+q3QEl1ZmL4KOEHzR2jWJRBEhX2XVajTf0l1vy319D 3UIH3vS0PsEsRZJt/BNK4q1er+UFoDlMKR2fz11uyjdb4KN9nQ/L+31R7Kc7cS4k qWSMLuapaOgN6OG6A71/Pww3IbZoqXYPi1ALeWHbJDzAUVd4akTHhJc7RoB3ma9H aGKIoA5NoSpw4Olzl5IaP/44Tvy2iq1txR+oMPqaW8kZfQEo522uaM+wXFHnIlA/ 8A6d8ZlvSn6952tMZaq8NK0gF/WrM58h8Iv2Jiq40ggW1OtARxALbaNRY1Ou8yow MUUu7Z+D+wZWo6kHUAdmYdbctNCEJXoxBka+MbOtHBGHVeTc3GlALDT3ZQ/qntYp d5r6rGz9TNiS+jf+CsL+dRuRzTfnM1EFg09H7lcqw1S9nBvC7eeEVi41Rku+cIFr 05VSgKm5i/8cJEeB7wKG0qDCIhP7WDHIMhjIIwJTGk5I3JQLyzQBsrVJMSN7ZNr7 f0icMwKArEZfpfX4GddZHs8Nb8Ba8ps15mlrjVG5XZVo0R6+RjftWZwCbh7XdAjj QvgH8D5r/WyxbK+HsUWgYdeo6MfgvPcWPv8W3A5jIBudxK/KGXM= =cEqf -----END PGP SIGNATURE-----