CVE-2024-41453

Vulnerability Overview

CVE-2024-41453 is a stored cross-site scripting (XSS) vulnerability in ProcessMaker pm4core-docker version 4.1.21-RC7. The flaw resides in the process import functionality, where the Name parameter is not properly sanitized before being stored and later rendered. An attacker can inject arbitrary HTML or JavaScript code into this parameter, which will be executed when an administrator views or archives the imported process [1][2].

Exploitation Prerequisites

To exploit this vulnerability, an attacker must craft a malicious JSON file containing an XSS payload in the Name field. This file is then sent to a ProcessMaker administrator, who must import it as a new process. The attack relies on social engineering to convince the admin to import the file. Once imported, the payload is stored and triggered when the admin later attempts to archive the process, executing the injected script in the context of the admin's browser session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the administrator's browser. This can lead to session hijacking, theft of sensitive data, or unauthorized actions within the ProcessMaker application, potentially compromising the entire system.

Mitigation Status

As of the publication date (January 15, 2025), no official patch has been released by ProcessMaker. The vendor should implement proper input validation and output encoding for all user-supplied data, especially in import functions. Until a fix is available, administrators are advised to avoid importing process files from untrusted sources and to restrict administrative privileges.