#CVE-2024-41453
#CVE-2024-41454
ProcessMaker Vulnerabilites (just for education): @ryancooley @velkymx @nolanpro @caleeli
-
install ProcessMaker 4 Core Docker Instance frome this repository: https://github.com/ProcessMaker/pm4core-docker
-
this is latest pm docker version (PM_VERSION=4.1.21), below image is the .env file.
- create a json file with xss payload.
(I uploaded sample file named: sample.json)
2.Send this file to process admin user and request to import thie file as a process.
- when admin user import this file and try to archive this process, the malicious javascript code will be executed.
(chrome latest version: Version 126.0.6478.127 (Official Build) (64-bit))
It is obvius that in import function there is lack of user input sanitization.
-
admin user can upload html file and bypass image restrication in Customize UI, custom login logo upload section.
-
this is uploaded file:
-
also it is possible to uplaod php file but its not executed.
there is lack of proper input validation in uploaders.