CVE-2024-27680 identifies a Cross Site Scripting (XSS) vulnerability in Flusity-CMS version 2.33, specifically within the contact form functionality. XSS vulnerabilities arise when an application does not properly sanitize user-supplied input, allowing attackers to inject malicious scripts that execute in the browsers of other users. In this case, the contact form fails to adequately validate or encode input fields, enabling an attacker to craft input containing executable JavaScript. When a victim views the affected page or processes the form data, the malicious script runs with the victim's browser privileges, potentially stealing session cookies, performing actions on behalf of the user, or redirecting to malicious sites. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates that the attack is network exploitable, requires low attack complexity, no privileges, but does require user interaction, and the scope is changed due to the ability to affect other users. The impact affects confidentiality and integrity but not availability. No known public exploits or patches exist yet, so the vulnerability remains unmitigated in the wild. The CWE-79 classification confirms this is a classic reflected or stored XSS issue. Given the widespread use of CMS platforms for web content management, this vulnerability could be leveraged in targeted phishing or web-based attacks if exploited.

The primary impact of this vulnerability is on the confidentiality and integrity of users interacting with Flusity-CMS-powered websites. Attackers can execute arbitrary scripts in the context of other users, potentially stealing session tokens, credentials, or other sensitive information. This can lead to account compromise, unauthorized actions, or redirection to malicious sites. While availability is not directly affected, the reputational damage and loss of user trust can be significant for organizations. The vulnerability could be leveraged in spear-phishing campaigns or targeted attacks against organizations using Flusity-CMS, especially those with public-facing contact forms. Since the attack requires user interaction, social engineering is a likely vector. The lack of known exploits in the wild suggests limited current impact, but the vulnerability poses a medium risk that could escalate if exploited at scale.

Organizations should immediately review and harden input validation and output encoding on the contact form fields within Flusity-CMS version 2.33. Implement strict server-side input sanitization to reject or neutralize potentially malicious script content. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web logs for suspicious input patterns or repeated attempts to inject scripts. Educate users about the risks of clicking unknown links or submitting untrusted forms. Since no official patch is available, consider temporarily disabling or restricting the contact form functionality or applying web application firewall (WAF) rules to detect and block XSS payloads targeting this form. Stay alert for vendor updates or patches and apply them promptly once released. Conduct regular security assessments and penetration testing focused on input handling.