CVE-2024-55341

Vulnerability

CVE-2024-55341 is a stored cross-site scripting (XSS) vulnerability in Piranha CMS version 11.1. The root cause lies in the insufficient sanitization of user-supplied Markdown content when creating a new page. An authenticated attacker can inject arbitrary JavaScript (e.g., `) into the Markdown field via the /manager/pages` endpoint [1][2].

Exploitation

To exploit this vulnerability, an attacker must first authenticate to the Piranha CMS manager interface (/manager/login). Once authenticated, they can create a new Standard Page, add a Markdown content block, and then include a malicious XSS payload in the Markdown text. When another user (or the same user in a different session) views the published page, the injected JavaScript executes in their browser [2].

Impact

Successful exploitation allows a remote attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, cookie theft, and further client-side attacks. The vulnerability does not require special privileges beyond a valid authenticated session [1][2].

Mitigation

At the time of publication, Piranha CMS 11.1 may be vulnerable; users should check for patches or upgrade to a newer version that properly escapes or sanitizes Markdown content. No official mitigation is documented in the references [1][2].