CVE-2015-3897
published 2015-06-18CVE-2015-3897: Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter…
PriorityP273medium5CVSS 2.0
AVNACLAuNCPINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
17.68%
96.8th percentile
Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bonitasoft | bonita_bpm_portal | <= 6.5.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=etc/passwd↗
url/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/system.ini↗
url/bonita/portal/themeResource?theme=portal/../../../../../../../../../../../../../../../../&location=Windows/win.ini↗
- →Detect path traversal attempts targeting the themeResource endpoint by monitoring GET requests to /bonita/portal/themeResource with a 'theme' parameter containing '../' sequences and a 'location' parameter containing file paths such as 'etc/passwd' or 'Windows/system.ini'. ↗
- →Match response body for Windows win.ini indicators: presence of all three strings 'bit app support', 'fonts', and 'extensions' together indicates successful LFI on Windows targets. ↗
- →Match response body against regex 'root:[x*]:0:0:' to confirm successful /etc/passwd disclosure on Linux targets. ↗
- →The vulnerability is unauthenticated (Au:N); no session or login is required to exploit the themeResource endpoint, so detections should not filter out unauthenticated requests to this path. ↗
- ·The traversal payload uses a very deep sequence of '../../../../../../../../../../../../../../../../' (16 levels) prepended to 'portal/' in the theme parameter, suggesting the application resolves paths relative to a known base directory; the exact depth may vary by installation. ↗
- ·The vulnerability affects Bonita BPM Portal versions before 6.5.3; version 6.5.1 was confirmed tested on both Windows and Mac OS packages. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h3jx-wfwm-w7jp: Directory traversal vulnerability in Bonita BPM Portal before 6
ghsa_unreviewed·2022-05-14
CVE-2015-3897 [MEDIUM] CWE-22 GHSA-h3jx-wfwm-w7jp: Directory traversal vulnerability in Bonita BPM Portal before 6
Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.
VulnCheck
bonitasoft bonita_bpm_portal Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2015·CVSS 5.0
CVE-2015-3897 [MEDIUM] bonitasoft bonita_bpm_portal Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
bonitasoft bonita_bpm_portal Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.
Affected: bonitasoft bonita_bpm_portal
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.f5.com/labs/articles/threat-intelligence/sensor-intel-series-top-cves-august-2024; https://www.f5.com/labs/articles/threat-intelligence/botpoke-scanner-switches-ip; https://www.f5.com/labs/articles/threat-intelligence/contin
No detection rules found.
Exploit-DB
Bonita BPM 6.5.1 - Multiple Vulnerabilities
exploitdb·2015-06-10·CVSS 5.0
CVE-2015-3898 [MEDIUM] Bonita BPM 6.5.1 - Multiple Vulnerabilities
Bonita BPM 6.5.1 - Multiple Vulnerabilities
---
Advisory ID: HTB23259
Product: Bonita BPM
Vendor: Bonitasoft
Vulnerable Version(s): 6.5.1 and probably prior
Tested Version: 6.5.1 (Windows and Mac OS packages)
Advisory Publication: May 7, 2015 [without technical details]
Vendor Notification: May 7, 2015
Vendor Patch: June 9, 2015
Public Disclosure: June 10, 2015
Vulnerability Type: Path Traversal [CWE-22], Open Redirect [CWE-601]
CVE References: CVE-2015-3897, CVE-2015-3898
Risk Level: High
CVSSv2 Base Scores: 7.8 (AV:N/AC:L/Au:N/C:C/I:N/A:N), 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
Advisory Details:
High-Tech Bridge Security Research Lab two vulnerabilities
Nuclei
Bonita BPM Portal <6.5.3 - Local File Inclusion
nuclei·CVSS 5.0
CVE-2015-3897 [MEDIUM] Bonita BPM Portal <6.5.3 - Local File Inclusion
Bonita BPM Portal <6.5.3 - Local File Inclusion
Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.
Template:
id: CVE-2015-3897
info:
name: Bonita BPM Portal <6.5.3 - Local File Inclusion
author: 0x_Akoko
severity: medium
description: Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter to bonita/portal/themeResource.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the server, potentially leading to unauthorized access or information disclosure.
remediation: |
Upgrade Bonita BPM Portal to version 6.5.3 or
http://packetstormsecurity.com/files/132237/Bonita-BPM-6.5.1-Directory-Traversal-Open-Redirect.htmlhttp://www.securityfocus.com/archive/1/535733/100/0/threadedhttps://www.htbridge.com/advisory/HTB23259http://packetstormsecurity.com/files/132237/Bonita-BPM-6.5.1-Directory-Traversal-Open-Redirect.htmlhttp://www.securityfocus.com/archive/1/535733/100/0/threadedhttps://www.htbridge.com/advisory/HTB23259
2015-06-18
Published
Exploited in the wild