CVE Analysis — ProcessMaker XSS
What You Will Learn
- What a CVE is and how vulnerability research works
- How cookie-based XSS vulnerabilities work
- Why
eval()on user-controlled data is dangerous - How to chain findings to create a full attack scenario
What Is a CVE?
A CVE (Common Vulnerabilities and Exposures) is a publicly disclosed security vulnerability with a unique identifier like CVE-2024-25506. CVEs are assigned by CVE Numbering Authorities (CNAs) after a researcher discovers and reports a vulnerability.
Each CVE entry includes:
- Description of the vulnerability
- Affected software and versions
- CVSS severity score
- References to patches and write-ups
CVE-2024-25506 — ProcessMaker Cookie-Based XSS
Description
ProcessMaker was discovered to have an XSS vulnerability due to a vulnerable implementation of how the workspace parameter is stored as a cookie value.
The vulnerability occurs when the JavaScript tries to access a cookie named pm_sys_sys and convert its contents to an object using the eval() function.
Root Cause
The code attempts to assign a JSON object to the obj variable using eval(). The insecure use of eval() enables a potential attacker who has control over the pm_sys_sys cookie to execute arbitrary JavaScript code.
// Vulnerable code pattern
var obj = eval('(' + getCookie("pm_sys_sys") + ')');
// If the cookie contains: {"sys_sys": "workflow", "ola": alert(1)}
// Then eval executes: alert(1)
Crafting an Exploit
A JavaScript eval() function executes its string argument as JavaScript code. By creating a JSON value that contains a JavaScript function, an attacker can execute arbitrary code on the vulnerable web application.
Final payload — set the cookie pm_sys_sys to:
{"sys_sys": "workflow", "ola": alert(1)}
This means an attacker can execute arbitrary JavaScript while setting the workspace field to the intended value for unsuspecting users.
// Set the malicious cookie
document.cookie = 'pm_sys_sys={"sys_sys": "workflow", "ola": alert(1)};domain=example.com;path=/;expires=2070-01-01'
Full Attack Scenario
- Attacker finds a separate XSS, subdomain takeover, or CRLF injection vulnerability on
*.example.com - Attacker uses that vulnerability to set the cookie
pm_sys_syswith the malicious payload, targeting the main domain where ProcessMaker runs - When an infected user visits the ProcessMaker login page at
sys/en/*/login/login, the XSS triggers - Since this is the login page, the exploit could be a keylogger to capture admin credentials
Why This Is Dangerous
- The attack chains two vulnerabilities (initial cookie injection + this eval XSS)
- It targets the login page — ideal for credential harvesting
- The malicious cookie blends in with legitimate cookie data
Fix
Never use eval() on user-controlled data. Use JSON.parse() instead:
// Safe alternative
try {
var obj = JSON.parse(getCookie("pm_sys_sys"));
} catch (e) {
var obj = {};
}
JSON.parse() only parses data — it does not execute code.
CVE Research Process
- Find a vulnerability through code review, fuzzing, or dynamic testing
- Confirm it is exploitable
- Identify the affected software version
- Contact the vendor (responsible disclosure)
- Vendor patches and assigns a CVE
- Public disclosure after patch is available