CVE-2024-25874 is a cross-site scripting (XSS) vulnerability identified in the New/Edit Article module of Enhavo CMS version 0.13.1. The vulnerability arises from insufficient input sanitization in the Create Tag text field, allowing an attacker to inject crafted payloads containing arbitrary JavaScript or HTML. When an authenticated user interacts with the affected module, the malicious script executes in their browser context, potentially enabling session hijacking, defacement, or unauthorized actions within the CMS interface. The CVSS 3.1 base score is 5.4 (medium), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), but does require privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects components beyond the initially vulnerable module, impacting confidentiality and integrity to a limited extent (C:L, I:L) but not availability (A:N). No patches or known exploits are currently available, but the vulnerability is publicly disclosed and assigned by MITRE. The CWE classification is CWE-79, which corresponds to improper neutralization of input during web page generation. This vulnerability highlights the importance of robust input validation and output encoding in CMS platforms to prevent client-side script injection attacks.

The primary impact of CVE-2024-25874 is the potential execution of malicious scripts in the browsers of authenticated users interacting with the New/Edit Article module of Enhavo CMS. This can lead to theft of session cookies, unauthorized actions performed on behalf of the user, or defacement of content. While the vulnerability does not directly affect system availability, it compromises confidentiality and integrity within the CMS environment. For organizations relying on Enhavo CMS for content management, this could result in data leakage, reputational damage, and potential lateral movement if attackers leverage stolen credentials or session tokens. The requirement for authenticated access and user interaction reduces the risk somewhat but does not eliminate it, especially in environments with many users or where social engineering can be employed. The absence of known exploits in the wild currently limits immediate risk, but the public disclosure increases the likelihood of future exploitation attempts.

Organizations using Enhavo CMS should implement the following specific mitigations: 1) Immediately audit and restrict user privileges to minimize the number of users who can access the New/Edit Article module. 2) Apply strict input validation and sanitization on the Create Tag text field to reject or neutralize potentially malicious scripts. 3) Employ output encoding techniques to ensure that any user-supplied content is safely rendered in the browser. 4) Monitor CMS logs for unusual activity or attempts to inject scripts. 5) Educate users about the risks of interacting with untrusted content and the importance of cautious behavior when editing articles. 6) Stay alert for official patches or updates from Enhavo CMS and apply them promptly once available. 7) Consider deploying web application firewalls (WAFs) with rules targeting XSS payloads specific to this module. 8) Conduct regular security assessments and penetration testing focused on CMS modules to detect similar vulnerabilities proactively.