CVE-2013-10035

UNKNOWN 0.0

ProcessMaker Open Source < 2.5.2 neoclassic Skin PHP Code Execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials.

CWE	CWE-94
Vendor	processmaker, inc.
Product	processmaker open source
Published	Jul 31, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for processmaker, inc. processmaker open source

Be the first to know when new unknown vulnerabilities affecting processmaker, inc. processmaker open source are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

ProcessMaker, Inc. / ProcessMaker Open Source

2.0 < 2.5.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/processmaker_exec.rb web.archive.org: https://web.archive.org/web/20150419043936/https://bugs.processmaker.com/view.php?id=13436 exploit-db.com: https://www.exploit-db.com/exploits/29325 fortiguard.com: https://www.fortiguard.com/encyclopedia/ips/37390 vulncheck.com: https://www.vulncheck.com/advisories/processmaker-open-source-neoclassic-skin-php-code-execution

Credits

bcoles