CVE-2024-26489

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the Addon JD Flusity 'Social block links' module of flusity-CMS v2.33. The Profile Name text field does not properly sanitize user input, allowing an attacker to inject arbitrary HTML or JavaScript. The vulnerability is triggered when the crafted payload is stored and later rendered in the context of an administrator or other user viewing the social block links. Affected version: flusity-CMS v2.33 [1].

Exploitation

An attacker with access to the profile editing functionality (e.g., a user with permission to modify social block links) can submit a crafted payload in the Profile Name field. No special network position is required beyond standard web access. The payload is stored in the database and executed when any user visits a page that displays the social block links, such as the site's front-end or admin panel. The attack does not require user interaction beyond the victim viewing the affected page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts or HTML in the context of the victim's browser. This can lead to session hijacking, defacement, credential theft, or other malicious actions depending on the victim's privileges. The impact is limited to the browser session of the user viewing the compromised social block links [1].

Mitigation

As of the publication date (2024-02-22), no official patch has been released for flusity-CMS v2.33. Users should sanitize the Profile Name input field by implementing proper output encoding or input validation. Until a fix is available, consider disabling the 'Social block links' addon or restricting access to the profile editing functionality to trusted users only [1].