-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-053 Product: WorkflowGen Manufacturer: Advantys Solutions Ltd Affected Version(s): 9.0.7 - 9.2.9 Tested Version(s): 9.0.7 Vulnerability Type: External Control of Critical State Data (CWE-642) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2025-08-11 Public Disclosure: 2025-09-29 CVE Reference: Not yet assigned Author of Advisory: Dennis Kurz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: WorkflowGen is an application to automate processes. The manufacturer describes the product as follows (see [1]): "WorkflowGen offers a low-code/no-code platform to automate complex, human- centric processes enhanced by AI agents, providing high configurability." Due to insufficient temper protection of paths sent over the user, the application is vulnerable to manipulation of state data. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: When starting a new process instance for a form, the following request is sent: Request: POST /wfgen/wfapps/webforms//Formular.aspx HTTP/1.1 Host: [...] WFGEN_INSTANCE_PATH=&WFGEN_REPLY_TO=&WFGEN_STORAGE_PATH= The parameters WFGEN_INSTANCE_PATH, WFGEN_REPLY_TO and WFGEN_STORAGE_PATH contain relative paths on the server. The application loads the state of the process instance from the user-supplied path. If the form contains an upload function, a user can upload the expected XML files that represent the state of the process instance. After the upload of the XML files, the process can be restarted with a manipulated path that points to the uploaded files. The application will then load the process instance based on the uploaded files. Using this method to load process instances, it is possible to achieve local file inclusion (LFI). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): To achieve LFI, a manipulated context.xml file can be used. This XML file is utilized to define parameters for the EFORMASPX "workflow application". Using the context.xml PoC, a file upload is initiated with a local file from the server. The application contains a function that allows users to download a file they uploaded. A file used to initiate a file upload is treated as an uploaded file. This means that it can be downloaded using the download function. The context.xml PoC is as follows: {NAME_OF_UPLOAD_FIELD} FILE INOUT {PATH_TO_LOCAL_FILE} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vendor has released version 9.2.10, which addresses this vulnerability. It is advised to upgrade to version 9.2.10 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-07-21: Vulnerability discovered 2025-08-11: Vulnerability reported to manufacturer 2025-08-26: Enquiry about the status of the vulnerability 2025-09-04: Solution provided with release of version 9.2.10 2025-09-05: Enquiry about the status of the vulnerability 2025-09-17: Confirmation from a customer that an update was provided 2025-09-22: Enquiry for confirmation that the vulnerabilities were addressed by the update 2025-09-29: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for WorkflowGen https://www.workflowgen.com [2] SySS Security Advisory SYSS-2025-053 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-053.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dennis Kurz of SySS GmbH. E-Mail: dennis.kurz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Dennis_Kurz.asc Key ID: 0x75CC91B4103E513B Key Fingerprint: 0B17 953A 516B B560 C4F7 8EB1 75CC 91B4 103E 513B ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEECxeVOlFrtWDE946xdcyRtBA+UTsFAmjaRmYACgkQdcyRtBA+ UTtdfw/9GcPzA6PHyyb+qiK3Vx0q9MjUXDvSlWeknIbwQ2GA57nOHgR1XaEs5ph0 oNa/m7WN9YUgYRi0KyTywQrsgsTAVF41bcvUj3XyunpAzNWc664olQrFfuEkmcIX UvkJdBFjYtyR8XEMGjo3RqU5luKv7xKiEVMZ4xMH22Kmjf7sPHY+o22rPKpKc1uz SSTG/Vvvj8Q26HH2X3tJRhPoo3yh+a5yvJLm/BtlTyJhiVBkqywPNQdUgy3r79d+ FlwKw/PdpQsDDtmlTH65HoAu0FKNuFePC5hKE41RqHoYJl9LD9gGg+oHCjv/AGFQ 2qsY3iSIo0hQjmRWZ6JRRPU0rYcT+f327LV/eioaQPV4Xr7ApRRXMWJF5rZxMtcG oGxFFzYGwO8/+mw2uYwM4Lz6odK/bcHZ7aDmoZC0YWmOlsV3PnZ4+CZJEVV59dHg CcCAHDjH4uex7a11f9YtUnR6BN61snfHxyslSmxdMDKeNcJKjnVX/DFzcAScpceO 0XpxRE3mK+FLI+DG2XbsIWYq6d/Ej9vI8Wu/8b8EwukEluEOraXZ+whq162+9Fpp 9lnF83c2asaa4EKhW+ixqCdVsZHnFsBg2oe32f7ps4/nOxt6RuBpDs/b7N/imqmf g6wpyOz8XxHw9qgxwrXAutBJTbeLVsBW6wq7OtyTALWhhCPoNFk= =lNlL -----END PGP SIGNATURE-----