cbcvebase.
CVE-2013-10035
published 2025-07-31

CVE-2013-10035: A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute…

PriorityP263high8.7CVSS 4.0
AVNACLATNPRLUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EXPLOIT
EPSS
1.40%
69.0th percentile
A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials.

Affected

1 ranges
VendorProductVersion rangeFixed in
processmaker_incprocessmaker_open_source>= 2.0 < 2.5.22.5.2

Detection & IOCsextracted from sources · hover to see the quote

path/skins/neoclassic/appFolderAjax.php
path/skins/neoclassic/casesStartPage_Ajax.php
path/skins/neoclassic/cases_SchedulerGetPlugins.php
commandsystem()
  • Monitor for POST requests targeting the three vulnerable neoclassic skin endpoints (appFolderAjax.php, casesStartPage_Ajax.php, cases_SchedulerGetPlugins.php) with suspicious 'action' or 'params' POST body parameters containing PHP code or shell commands.
  • Exploitation requires valid user credentials; alert on authenticated sessions that subsequently trigger process/command execution from a web server context (e.g., Apache/PHP spawning shell processes).
  • The vulnerable 'neoclassic' skin cannot be removed via the web interface; presence of the skin directory on disk in a ProcessMaker 2.x installation indicates persistent attack surface regardless of configuration changes.
  • A Metasploit module exists for this vulnerability; look for Metasploit-characteristic HTTP patterns (e.g., default User-Agent strings, staged payload delivery) targeting ProcessMaker endpoints.
  • ·The vulnerability is present in default configurations of ProcessMaker Open Source 2.x (versions 2.0.23 through 2.5.1); the neoclassic skin is installed by default and cannot be removed via the web interface, meaning all default installs in this range are affected.
  • ·The vulnerability affects both Linux and Windows installations, so detection and remediation strategies must account for both OS environments.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.