CVE-2024-26349 identifies a Cross-Site Request Forgery (CSRF) vulnerability in flusity-CMS version 2.33, specifically within the /core/tools/delete_translation.php component. CSRF vulnerabilities allow attackers to trick authenticated users into submitting unwanted requests to a web application, potentially causing state-changing actions without the user's consent. In this case, the vulnerability could enable an attacker to delete translation data by sending crafted requests to the vulnerable endpoint. The CVSS 3.1 vector indicates the attack requires network access (AV:N), low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The impact is limited to availability (A:L), with no confidentiality or integrity loss. The vulnerability is classified under CWE-352, which covers CSRF issues. No patches or known exploits are currently available, suggesting the vulnerability is newly disclosed. The absence of user interaction means exploitation can be automated once the attacker has low-level access, increasing risk in multi-user environments. The vulnerability affects the availability of translation management features, which could disrupt multilingual content management in affected organizations.

The primary impact of CVE-2024-26349 is on the availability of translation data within flusity-CMS installations. Successful exploitation could lead to deletion of translation entries, causing disruption in multilingual website content and potentially impairing user experience or business operations relying on accurate translations. While the vulnerability does not compromise confidentiality or integrity, the denial of service effect on translation management could affect organizations that depend heavily on localized content. This could be particularly impactful for global businesses, government agencies, and content providers using flusity-CMS for multilingual support. The requirement for low privileges limits the scope to authenticated users with some access, but the lack of user interaction needed means automated attacks are feasible. No known exploits in the wild reduce immediate risk, but unpatched systems remain vulnerable. Organizations with public-facing CMS instances are at higher risk of targeted exploitation.

To mitigate CVE-2024-26349, organizations should implement strict anti-CSRF protections such as synchronizer tokens or double-submit cookies on all state-changing endpoints, including /core/tools/delete_translation.php. Restrict access to this component to only trusted and necessary users by enforcing least privilege principles and role-based access controls. Monitor web server logs for unusual or repeated requests to the vulnerable endpoint that could indicate exploitation attempts. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious CSRF attack patterns targeting the CMS. Until an official patch is released, consider temporarily disabling or restricting the translation deletion functionality if feasible. Educate users about the risks of CSRF and encourage safe browsing practices, especially for authenticated users. Regularly update flusity-CMS and subscribe to vendor advisories for timely patch deployment once available.