CVE-2024-55342

Root

Cause CVE-2024-55342 is a stored cross-site scripting (XSS) vulnerability found in Piranha CMS version 11.1. The flaw resides in the file upload functionality accessible at /manager/media. An authenticated attacker can upload a specially crafted PDF file containing embedded JavaScript code. The application does not sanitize or validate the content of the uploaded PDF, allowing the malicious script to be stored on the server. [1]

Exploitation

Prerequisites To exploit this vulnerability, an attacker must first have a valid account with the ability to access the media manager. The attacker logs in via /manager/login, navigates to the Media section, and uploads a malicious PDF (e.g., one generated using a proof-of-concept tool) to the /manager/media endpoint. The attack does not require any additional privileges beyond standard media upload rights. [2]

Impact

When a victim user (such as an administrator or other content editor) opens or interacts with the uploaded PDF in their browser, the embedded JavaScript executes within the context of the Piranha CMS web application. This can lead to session hijacking, theft of sensitive data, defacement, or further actions performed on behalf of the victim. The XSS is stored, meaning the payload persists until the malicious file is removed. [1][2]

Mitigation

As of December 2024, no official patch has been released for this vulnerability. Administrators should restrict media upload permissions to only trusted users, disable PDF preview if possible, or implement a content security policy (CSP) to mitigate script execution. The vendor has not acknowledged a fix at the time of disclosure. [1][2]