Arbitrary File Upload Vulnerability in Process Maker by ProcessMaker
CVE-2024-41454

6.5MEDIUM

Key Information:

Vendor: ProcessMaker
Status: Process Maker
Vendor: CVE Published:; 15 January 2025

🔔 Create ProcessMaker Vulnerability Alert

What is CVE-2024-41454?

The vulnerability presents an arbitrary file upload risk through the logo upload function on the UI login page of Process Maker pm4core-docker 4.1.21-RC7. This allows malicious users to upload specially crafted PHP or HTML files, which can enable them to execute arbitrary code on the server, leading to unauthorized access and potential control over the application.

References

https://github.com/php-lover-boy/processmaker

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 15, 2025
Vulnerability Reserved
Jul 18, 2024

CVE-2024-41454 Data

JSON