CVE-2024-24097 is a medium-severity Cross Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Code-projects Scholars Tracking System 1.0. The vulnerability arises from insufficient sanitization or encoding of user-supplied input in the News Feed component, allowing an attacker with limited privileges (PR:L) to inject malicious scripts. Exploitation requires user interaction (UI:R), such as a victim clicking a crafted link or viewing a manipulated news feed entry. The attack vector is network-based (AV:N), meaning the attacker can exploit it remotely over the internet. The vulnerability impacts confidentiality and integrity by enabling arbitrary code execution in the context of the victim’s browser, potentially leading to session hijacking, credential theft, or unauthorized actions within the application. Availability is not affected. The scope is changed (S:C), indicating the vulnerability can affect resources beyond the vulnerable component. No patches or known exploits are currently available, but the presence of this vulnerability in an educational tracking system could be leveraged for targeted attacks against students, educators, or administrators. The lack of version specifics suggests the issue may be present in all 1.0 releases or the entire product line. The vulnerability highlights the need for secure coding practices, especially input validation and output encoding in web applications handling user-generated content.

The primary impact of CVE-2024-24097 is on the confidentiality and integrity of user data within the Scholars Tracking System. Attackers exploiting this XSS vulnerability can execute arbitrary JavaScript in the context of other users, potentially stealing session cookies, credentials, or manipulating displayed content. This can lead to unauthorized access to sensitive student or academic data, undermining trust and compliance with data protection regulations. Although availability is not directly impacted, successful exploitation could facilitate further attacks or social engineering campaigns. Organizations relying on this system, especially educational institutions, may face reputational damage, data breaches, and operational disruptions. The medium severity score reflects the need for prompt remediation but indicates that exploitation requires some user interaction and limited privileges, somewhat reducing the risk compared to more severe vulnerabilities.

To mitigate CVE-2024-24097, organizations should implement strict input validation and output encoding on all user-supplied data, particularly in the News Feed feature. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts. Restrict user privileges to the minimum necessary to reduce the attack surface. Regularly audit and sanitize all dynamic content displayed to users. Since no official patches are currently available, consider applying virtual patching via Web Application Firewalls (WAFs) to detect and block malicious payloads targeting this vulnerability. Educate users about the risks of clicking unknown links or interacting with untrusted content within the system. Monitor logs for suspicious activity indicative of attempted XSS exploitation. Engage with the vendor or development team to prioritize releasing a security update addressing this flaw. Finally, maintain up-to-date backups and incident response plans to quickly recover from any potential compromise.