Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-41453 PoC — ProcessMaker 安全漏洞

Source
https://github.com/php-lover-boy/CVE-2024-41453_CVE-2024-41454
Associated Vulnerability
Title:ProcessMaker 安全漏洞 (CVE-2024-41453)
Description:ProcessMaker是美国ProcessMaker公司的一个Php编写的用于商业进程管理(BPM)和工作流管理的建站系统。 ProcessMaker pm4core-docker 4.1.21-RC7版本存在安全漏洞,该漏洞源于包含一个跨站脚本漏洞。攻击者利用该漏洞可以通过注入 Name 参数的特制有效载荷执行任意 Web 脚本或 HTML。
Description
CVE-2024-41454, CVE-2024-41453
Readme
<b> #CVE-2024-41453 </b>

<b> #CVE-2024-41454 </b>

ProcessMaker Vulnerabilites (just for education):
@ryancooley @velkymx @nolanpro @caleeli

- install ProcessMaker 4 Core Docker Instance frome this repository:
https://github.com/ProcessMaker/pm4core-docker

- this is latest pm docker version (PM_VERSION=4.1.21), below image is the .env file.
   ![image](https://github.com/php-lover-boy/processmaker/assets/111951701/6399239e-8f0b-467e-8f44-dedb21130389)
  
# Stored Xss
1. create a json file with xss payload.
   ![image](https://github.com/php-lover-boy/processmaker/assets/111951701/fc68a457-7ae6-4b5d-bcc0-8ed79b4a9871)
(I uploaded sample file named: sample.json)

2.Send this file to process admin user and request to import thie file as a process.
![image](https://github.com/php-lover-boy/processmaker/assets/111951701/42c2568d-8176-4b48-a738-b71a6e7e3d53)
![image](https://github.com/php-lover-boy/processmaker/assets/111951701/97d5524c-4227-47f9-805a-d2bc402b2465)
![image](https://github.com/php-lover-boy/processmaker/assets/111951701/ff1da235-b5f3-4af4-8f06-4ac3147997dc)

3. when admin user import this file and try to archive this process, the malicious javascript code will be executed. 

(chrome latest version: Version 126.0.6478.127 (Official Build) (64-bit))

![image](https://github.com/php-lover-boy/processmaker/assets/111951701/c62fdb6a-2303-46c9-8df8-6e07f617a9d5)

It is obvius that in import function there is lack of user input sanitization. 

# Maliciuos file upload 
1. admin user can upload html file and bypass image restrication in Customize UI, custom login logo upload section.
  ![image](https://github.com/php-lover-boy/processmaker/assets/111951701/802a0386-9977-4c9a-a508-09a761e49e6e)


2. this is uploaded file:
![image](https://github.com/php-lover-boy/processmaker/assets/111951701/078df8da-12dd-4105-a85f-ba0d00e3aa80)

3. also it is possible to uplaod php file but its not executed.
   ![image](https://github.com/php-lover-boy/processmaker/assets/111951701/9a441470-5baa-46f2-a023-14093957487d)
![image](https://github.com/php-lover-boy/processmaker/assets/111951701/a6cc1129-3d0f-477c-b22e-756f452249c0)

there is lack of proper input validation in uploaders.
File Snapshot

 [4.0K]  /data/pocs/ca639dcdfb2857fb4b7317ad76c3823d0376ebd1
├── [2.2K]  README.md
└── [2.2K]  sample.json

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.