CVE-2024-41454

MEDIUM

Process Maker pm4core-docker <4.1.21-RC7 - RCE

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-41454. PoCs published by code5ecure.

AI-analyzed exploit summary This repository provides a detailed technical writeup for CVE-2024-41454, a stored XSS vulnerability in ProcessMaker 4.1.21. It includes step-by-step exploitation details, screenshots, and analysis of the lack of input sanitization in the import function.

Description

An arbitrary file upload vulnerability in the UI login page logo upload function of Process Maker pm4core-docker 4.1.21-RC7 allows attackers to execute arbitrary code via uploading a crafted PHP or HTML file.

Exploits (1)

github WRITEUP

by code5ecure · poc

https://github.com/code5ecure/CVE-2024-41453_CVE-2024-41454

View Code ZIP pw:eip

This repository provides a detailed technical writeup for CVE-2024-41454, a stored XSS vulnerability in ProcessMaker 4.1.21. It includes step-by-step exploitation details, screenshots, and analysis of the lack of input sanitization in the import function.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: ProcessMaker 4.1.21

Auth required

Prerequisites: Access to ProcessMaker admin interface · Ability to upload malicious JSON file

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Various Sources

https://github.com/php-lover-boy/processmaker

Scores

CVSS v3 6.5

EPSS 0.0046

EPSS Percentile 36.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Published Jan 15, 2025

Tracked Since Feb 18, 2026