CVE-2024-26542: Cross-Site Scripting (XSS) Vulnerability in Bonitasoft's v.7.14 Leading to Arbitrary Code Execution

Description: Bonitasoft, S.A., a leading provider of open-source business process management solutions, recently discovered a cross-site scripting (XSS) vulnerability in their v.7.14 software. As a result, attackers can execute arbitrary code by crafting a malicious payload and inserting it into the "Groups Display name" field. This post details the CVE-2024-26542 vulnerability, as well as links to original references and exploit details. The issue has been fixed in versions 9..2, 8..3, 7.15.7, and 7.14.8.

The Vulnerability (CVE-2024-26542)

A cross-site scripting (XSS) vulnerability has been discovered in Bonitasoft v.7.14. This security flaw allows remote attackers to inject malicious code into the "Groups Display name" field, which can then be executed in the context of an authenticated user's web browser. The payload allows an attacker to steal sensitive information, manipulate page content, or undertake other unauthorized actions.

An attacker can exploit this flaw by crafting an XSS payload that will be executed when a victim view or interacts with the affected field.

editConnectionForm.html snippet

<textarea
    id="groups-display"
    data-ng-model="selectedGroups.displayName"
    ...>
</textarea>

The Bonitasoft versions affected by this vulnerability include

* Bonitasoft v.7.14 (before v.7.14.8)
* Bonitasoft v.7.15 (before v.7.15.7)
* Bonitasoft v.8. (before 8..3)
* Bonitasoft v.9. (before 9..2)

Users can mitigate the vulnerability by updating their Bonitasoft software to any of the following fixed versions:

* Bonitasoft v.7.14.8
* Bonitasoft v.7.15.7
* Bonitasoft v.8..3
* Bonitasoft v.9..2

For more information on this vulnerability, please refer to the links provided below

* CVE-2024-26542 NVD Entry
* Bonitasoft Security Advisory

Exploit Details

While we encourage users to update their Bonitasoft software to the latest version, we also want to highlight the importance of validating and sanitizing user input.

Conclusion

In summary, the CVE-2024-26542 XSS vulnerability in Bonitasoft v.7.14 can allow attackers to execute arbitrary code via a crafted payload to the "Groups Display name" field. Users of affected software versions should update to the fixed software releases to mitigate the risk presented by this vulnerability.

Timeline

Published on: 02/27/2024 22:15:15 UTC
Last modified on: 02/28/2024 14:06:45 UTC