Vinna Process Monitor Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Vinna Process Monitor versions 4.0.0 through 4.0.6 and 3.1.0 through 3.1.4. This vulnerability allows authenticated remote attackers with low privileges to inject malicious JavaScript into the application. When an administrative user accesses a document containing the injected script, the JavaScript executes and steals administrative access tokens and session credentials.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user accessing the affected content. In this case, it specifically targets administrative users, stealing their Bearer tokens and granting full access to the application.

Reproduction

To reproduce this vulnerability, an authenticated user must upload a malicious HTML file containing JavaScript payloads into the Media import feature. Once uploaded, an admin user must click on the link to the file, which will trigger the execution of the JavaScript and exfiltrate the admin's Bearer token from browser storage.

Remediation

Users of Vinna Process Monitor 4.0 should upgrade to version 4.0.7 or later. Users on the 3.1.x branch should upgrade to 4.0.7 or apply temporary workarounds until version 3.1.8 is released.