CVE-2024-26542

Cross Site Scripting vulnerability in Bonitasoft, S.A v.7.14. and fixed in v.9.0.2, 8.0.3, 7.15.7, 7.14.8 allows attackers to execute arbitrary code via a crafted payload to the Groups Display name field.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-26542/README.md	Exploit Third Party Advisory
https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-26542/README.md	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:bonitasoft:bonita_web:-:*:*:*:*:*:*:*

History

17 Sep 2025, 20:24

Type	Values Removed	Values Added
References	~~() https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-26542/README.md -~~	() https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-26542/README.md - Exploit, Third Party Advisory
First Time		Bonitasoft Bonitasoft bonita Web
CPE		cpe:2.3:a:bonitasoft:bonita_web:-:::::::*

21 Nov 2024, 09:02

Type	Values Removed	Values Added
References	~~() https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-26542/README.md -~~	() https://github.com/c0d3x27/CVEs/blob/main/CVE-2024-26542/README.md -

15 Aug 2024, 21:35

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CWE		CWE-79

27 Feb 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-27 22:15

Updated : 2025-09-17 20:24

NVD link : CVE-2024-26542

Mitre link : CVE-2024-26542

CVE.ORG link : CVE-2024-26542

JSON object : View

Products Affected

bonitasoft

bonita_web

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10