cbcvebase.
CVE-2015-3897
published 2015-06-18

CVE-2015-3897: Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter…

PriorityP273medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.68%
96.8th percentile
Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.

Affected

1 ranges
VendorProductVersion rangeFixed in
bonitasoftbonita_bpm_portal<= 6.5.2

Detection & IOCsextracted from sources · hover to see the quote

url/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=etc/passwd
url/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/system.ini
url/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/win.ini
path/bonita/portal/themeResource
port8080
regexroot:[x*]:0:0:
  • Detect path traversal attempts targeting the themeResource endpoint by monitoring GET requests to /bonita/portal/themeResource with a 'theme' parameter containing '../' sequences and a 'location' parameter containing file paths such as 'etc/passwd' or 'Windows/system.ini'.
  • Match response body for Windows win.ini indicators: presence of all three strings 'bit app support', 'fonts', and 'extensions' together indicates successful LFI on Windows targets.
  • Match response body against regex 'root:[x*]:0:0:' to confirm successful /etc/passwd disclosure on Linux targets.
  • The vulnerability is unauthenticated (Au:N); no session or login is required to exploit the themeResource endpoint, so detections should not filter out unauthenticated requests to this path.
  • ·The traversal payload uses a very deep sequence of '../../../../../../../../../../../../../../../../' (16 levels) prepended to 'portal/' in the theme parameter, suggesting the application resolves paths relative to a known base directory; the exact depth may vary by installation.
  • ·The vulnerability affects Bonita BPM Portal versions before 6.5.3; version 6.5.1 was confirmed tested on both Windows and Mac OS packages.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.