CVE-2024-22302 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the web application 'Albo Pretorio On line' developed by Ignazio Scimone. This vulnerability arises from improper neutralization of input during web page generation, allowing malicious scripts to be stored on the server and subsequently executed in the browsers of users who access the affected pages. The flaw exists in versions up to 4.6.6 of the product. The CVSS 3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network with low attack complexity, requires privileges (PR:L) and user interaction (UI:R), and impacts confidentiality, integrity, and availability to a limited extent. The vulnerability scope is changed (S:C), meaning it can affect components beyond the initially vulnerable component. Stored XSS vulnerabilities are particularly dangerous because injected malicious scripts persist on the server and can affect multiple users, potentially leading to session hijacking, credential theft, defacement, or distribution of malware. Although no known exploits are currently reported in the wild, the presence of this vulnerability in a public-facing web application that likely serves official or administrative content makes it a significant risk if exploited. The lack of available patches at the time of reporting increases the urgency for mitigation.

For European organizations, especially public sector entities or municipalities using 'Albo Pretorio On line' for publishing official documents or notices, this vulnerability poses a risk of unauthorized script execution in users' browsers. Exploitation could lead to theft of user credentials, session tokens, or other sensitive information, undermining user trust and potentially enabling further attacks such as privilege escalation or lateral movement within networks. The vulnerability could also be leveraged to deface official websites or distribute malware, damaging organizational reputation and causing operational disruptions. Given that the vulnerability affects confidentiality, integrity, and availability, even a medium severity rating translates to a meaningful risk in environments where data protection and service availability are critical. The requirement for user interaction and privileges to exploit somewhat limits the attack surface but does not eliminate the threat, especially in environments with multiple users having some level of access. The scope change indicates that the impact could extend beyond the immediate application, potentially affecting integrated systems or services.

Organizations should immediately review and restrict user input fields in 'Albo Pretorio On line' to ensure proper input validation and output encoding, particularly for any content that is stored and later rendered in web pages. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Employ web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this application. Conduct thorough code audits focusing on input handling and sanitization routines. Until an official patch is released, consider isolating or limiting access to the vulnerable application, especially restricting privileges to trusted users only. Educate users about the risks of interacting with untrusted content and encourage the use of security-conscious browsers with XSS protection enabled. Monitor logs for unusual activity indicative of attempted exploitation. Finally, maintain close communication with the vendor for timely patch releases and apply updates promptly once available.