CVE-2024-26491

Vulnerability

The Addon JD Flusity 'Media Gallery with description' module in flusity-CMS v2.33 contains a stored cross-site scripting (XSS) vulnerability. The Gallery name text field does not sanitize user input, allowing an attacker to inject arbitrary web scripts or HTML. The vulnerability is present in version 2.33 and possibly earlier versions [1].

Exploitation

An attacker with access to create or edit a gallery (typically an administrator or editor) can inject a crafted payload into the Gallery name field. When the gallery is subsequently viewed by any user, the payload executes in the context of the victim's browser. No additional user interaction beyond viewing the gallery is required [1].

Impact

Successful exploitation allows arbitrary JavaScript or HTML execution in the victim's browser. This can lead to session hijacking, defacement, data theft, or further attacks within the CMS context. The attacker gains the ability to perform actions on behalf of the victim, potentially compromising the entire application [1].

Mitigation

As of the publication date (2024-02-22), no official patch has been released for flusity-CMS v2.33. Users should restrict access to gallery management functions to trusted administrators and consider implementing input sanitization for the Gallery name field. If a patched version becomes available, upgrading immediately is recommended. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing [1].