CVE-2024-22493 is a stored Cross-Site Scripting (XSS) vulnerability identified in JFinalcms version 5.0.0. The vulnerability resides in the /gusetbook/save endpoint, specifically within the content parameter, which fails to properly sanitize or encode user-supplied input. This allows remote attackers with limited privileges (authentication required) to inject malicious JavaScript or HTML code that is stored persistently on the server. When other users access the affected pages, the injected scripts execute in their browsers, potentially leading to session hijacking, defacement, or unauthorized actions performed on behalf of the victim. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 5.4, reflecting medium severity, with attack vector network (remote), low attack complexity, privileges required, user interaction required, and scope changed due to potential impact on other users. No public exploits are currently known, but the vulnerability poses a risk especially in environments where multiple users interact with the guestbook feature. The lack of available patches at the time of disclosure necessitates immediate attention to mitigation strategies.

The primary impact of this vulnerability is the compromise of confidentiality and integrity for users interacting with the affected JFinalcms guestbook feature. Attackers can inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions within the application context. Although availability is not directly affected, the reputational damage and potential data breaches can be significant. Organizations using JFinalcms 5.0.0 in customer-facing or internal portals are at risk, especially if the guestbook feature is publicly accessible. The requirement for authentication and user interaction limits the ease of exploitation but does not eliminate the threat, particularly in environments with many users or where social engineering can be employed. The vulnerability could be leveraged as a foothold for further attacks or lateral movement within an organization’s network.

To mitigate CVE-2024-22493, organizations should implement strict input validation and output encoding on the /gusetbook/save content parameter to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Limit the privileges of users who can submit content to the guestbook and monitor for unusual input patterns or injection attempts. If possible, disable or restrict the guestbook feature until a vendor patch or update is available. Conduct regular security reviews and penetration testing focused on input handling in web applications. Additionally, educate users about the risks of interacting with untrusted content and implement multi-factor authentication to reduce the impact of session hijacking. Monitoring web logs for suspicious activity related to the guestbook endpoint can provide early detection of exploitation attempts.