KEVIntel
PRO Back to KEVs
9.8
CVSS
Critical

CVE-2022-25237

PUBLISHED

Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the...

Not yet in CISA KEV

Exploited in the wild PoC available Remote Low complexity No user interaction
Vendor
Bonitasoft
Product
Bonita Web
Published
May 27, 2022
EPSS

Automate This Intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.

nuclei_scanner

CVSS Scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2.0 7.5 High

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitation Status

Exploited in the wild

Recorded 2025-07-01 00:00:00 UTC · The Shadowserver (via CIRCL)

Proof of concept available

Recorded 2026-06-12 14:20:58 UTC · Nuclei Templates

References

Known Exploited Vulnerability Sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) First 2025-07-01 00:00 UTC

Scanner Integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-25237.yaml Jun 01, 2026

Potential Proof of Concepts

These PoCs are unverified and could contain malware. Use at your own risk.

CVE-2022-25237

nuclei · Created Unknown

Timeline

  • Proof of Concept Exploit Available

  • Detected by Nuclei

  • Added to KEVIntel

  • CVE Published to Public

  • CVE ID Reserved