CVE-2024-46481 – The login page of Venki Supravizio BPM up to ve... (How to Fix)

Q: What is the severity of CVE-2024-46481?

CVE-2024-46481 has a CVSS score of 7.2 (HIGH). The login page of Venki Supravizio BPM up to version 18.1.1 contains an open redirect vulnerability that can be exploited to perform reflected cross-site scripting (XSS) attacks. This allows attackers to redirect users to malicious websites and execute arbitrary JavaScript in the victim's browser context. Organizations using affected versions of this business process management software are at risk.

📋 TL;DR

The login page of Venki Supravizio BPM up to version 18.1.1 contains an open redirect vulnerability that can be exploited to perform reflected cross-site scripting (XSS) attacks. This allows attackers to redirect users to malicious websites and execute arbitrary JavaScript in the victim's browser context. Organizations using affected versions of this business process management software are at risk.

💻 Affected Systems

Products:

Venki Supravizio BPM

Versions: Up to and including 18.1.1

Operating Systems: All platforms running the software

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the login page component and affects all deployments with the vulnerable version.

📦 What is this software?

Supravizio Bpm by Venki

View all CVEs affecting Supravizio Bpm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, credentials, or sensitive data from authenticated users, perform actions on their behalf, or redirect them to phishing sites that appear legitimate.

🟠

Likely Case

Attackers would use crafted URLs to redirect users to malicious sites for credential harvesting or execute limited JavaScript payloads to steal session information.

🟢

If Mitigated

With proper input validation and output encoding, the XSS impact would be eliminated, though open redirects might still allow phishing attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires user interaction (clicking a malicious link) but does not require authentication to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 18.1.2 or later

Vendor Advisory: https://www.venki.com.br/ferramenta-bpm/supravizio/

Restart Required: No

Instructions:

1. Download the latest version from the vendor website. 2. Backup current installation. 3. Apply the update following vendor documentation. 4. Verify the fix is applied.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject or sanitize redirect URLs containing JavaScript or malicious characters

Content Security Policy

all

Implement strict CSP headers to prevent execution of inline scripts and restrict redirect destinations

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS and open redirect protection rules
Educate users about phishing risks and not clicking untrusted links to the login page

🔍 How to Verify

Check if Vulnerable:

Test the login page with crafted URLs containing redirect parameters and XSS payloads to see if they execute

Check Version:

Check the software version in the application interface or configuration files

Verify Fix Applied:

After patching, test the same exploit attempts to confirm they are blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual redirect parameters in login page requests
JavaScript payloads in URL parameters

Network Indicators:

HTTP requests with suspicious redirect parameters to the login endpoint

SIEM Query:

source="web_server" AND (url="*login*" AND (url="*javascript:*" OR url="*data:*" OR url="*%3Cscript%3E*"))

📊 Metadata

CVE ID: CVE-2024-46481

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-601

EPSS Score: 0.1% exploit probability (26.6th percentile)

Published: January 13, 2025

Last Updated: October 3, 2025

🔗 References

https://github.com/Lorenzo-de-Sa/Vulnerability-Research Third Party Advisory
https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46481.md Third Party Advisory
https://www.venki.com.br/ferramenta-bpm/supravizio/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-46481, you might also want to check these: