CVE-2024-58296

Vulnerability

Overview

CE Phoenix v3.0.1 contains a stored cross-site scripting (XSS) vulnerability in the currencies administration panel, specifically in the admin/currencies.php page. The title field does not properly sanitize user input, allowing an attacker to inject arbitrary JavaScript code that is stored and later executed when an administrator views the currencies page [2]. This is a classic example of CWE-79: Improper Neutralization of Input During Web Page Generation.

Exploitation

Details

To exploit this vulnerability, an attacker must first have administrative access to the CE Phoenix admin panel. Once logged in, they navigate to the currencies page, edit a currency entry, and insert a malicious payload into the title field. For example, a payload such as <sVg/onLy=1 onLoaD=confirm(1)// will execute when the page is loaded [3]. The attack requires no special network position beyond access to the admin interface, and the stored script will trigger for any administrator who subsequently views the currencies page.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session hijacking, defacement of the admin interface, or further attacks against other administrators. The CVSS v4 vector (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) indicates a medium severity, with low impact on confidentiality and integrity, and no impact on availability [2].

Mitigation

Status

As of the publication date (2025-12-11), no official patch has been released for this vulnerability. Users of CE Phoenix v3.0.1 are advised to apply input validation and output encoding on the title field in admin/currencies.php as a workaround. The vendor has not yet addressed this issue in a subsequent release [2][3].