CVE-2024-46481

CVE-2024-46481 is an open redirect vulnerability in the login page of Venki Supravizio BPM versions up to 18.1.1, which can be chained to enable reflected cross-site scripting (XSS). This issue falls under CWE-601 and carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change with low impacts on confidentiality and integrity.

The vulnerability can be exploited by unauthenticated attackers with network access to the affected login page. Exploitation involves crafting a malicious redirect URL that, when processed, leads to reflected XSS execution in the victim's browser, potentially allowing limited theft of sensitive data like login credentials or session information without requiring user privileges.

Mitigation details are available in the referenced advisories, including the research disclosure at https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46481.md and the vendor's Supravizio page at https://www.venki.com.br/ferramenta-bpm/supravizio/. Security practitioners should consult these for patching instructions or workarounds specific to Venki Supravizio BPM.