Cross Site Scripting vulnerability in Process Maker, Inc ProcessMaker prior to 4.0 allows a remote malicious user to run arbitrary code via control of the pm_sys_sys cookie.