CVE-2024-25875 is a cross-site scripting (XSS) vulnerability identified in the Header module of Enhavo CMS version 0.13.1. The vulnerability arises from insufficient input sanitization in the Undertitle text field, which allows an attacker to inject malicious scripts or HTML content. When a crafted payload is submitted, it can be executed in the context of users visiting the affected web pages, potentially leading to session hijacking, defacement, or redirection to malicious sites. The vulnerability requires no authentication but does require user interaction, such as visiting a maliciously crafted page or link. The CVSS 3.1 score of 6.1 reflects a medium severity, with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and user interaction required (UI:R). The scope is changed (S:C), meaning the vulnerability affects components beyond the vulnerable module, and impacts confidentiality and integrity partially (C:L/I:L) but not availability (A:N). No public exploit code or active exploitation has been reported yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. Since Enhavo CMS is an open-source content management system, websites using this software are vulnerable if running the affected version without patches or mitigations. The absence of official patches or updates at the time of publication increases the urgency for administrators to implement manual input validation or filtering to prevent exploitation.

The primary impact of CVE-2024-25875 is the potential compromise of user confidentiality and data integrity on websites running Enhavo CMS v0.13.1. Successful exploitation can lead to execution of arbitrary scripts in users' browsers, enabling session hijacking, theft of cookies or credentials, unauthorized actions on behalf of users, or defacement of website content. Although availability is not affected, the reputational damage and loss of user trust can be significant. Organizations relying on Enhavo CMS for public-facing websites or internal portals may face increased risk of targeted attacks or automated exploitation attempts once exploit code becomes available. The vulnerability's medium severity means it is less critical than remote code execution flaws but still poses a meaningful risk, especially for sites with high user interaction or sensitive data. The lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation in the wild once the vulnerability is widely known. The scope change indicates that the vulnerability could affect multiple components or user roles, broadening the attack surface.

To mitigate CVE-2024-25875, organizations should first check for any official patches or updates from Enhavo CMS and apply them immediately once available. In the absence of official fixes, administrators should implement strict input validation and sanitization on the Undertitle text field within the Header module to neutralize potentially malicious scripts or HTML. Employing a robust web application firewall (WAF) with rules targeting common XSS payloads can provide an additional layer of defense. Content Security Policy (CSP) headers should be configured to restrict script execution sources and reduce the impact of injected scripts. Regular security audits and code reviews of CMS modules can help identify and remediate similar vulnerabilities proactively. User education to avoid clicking suspicious links and monitoring web server logs for unusual input patterns can aid in early detection of exploitation attempts. Finally, consider isolating or restricting access to the CMS administration interface to trusted networks to reduce exposure.