CVE-2024-27757 identifies a reflected cross-site scripting (XSS) vulnerability in the flusity CMS, a content management system that has been discontinued as of February 2024. The vulnerability exists in the Gallery Name parameter within the tools/addons_model.php script, where insufficient input validation allows attackers to inject malicious JavaScript code. When a victim accesses a crafted URL or interacts with the vulnerable parameter, the injected script executes in their browser context. This can lead to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the user. The vulnerability has a CVSS 3.1 base score of 6.1, reflecting medium severity, with an attack vector of network (remote), low attack complexity, no privileges required, but requiring user interaction. The scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component. No official patches or updates are available due to the cessation of flusity CMS development, increasing the risk for users who continue to operate this software. No known exploits have been reported in the wild, but the presence of CWE-79 (Improper Neutralization of Input During Web Page Generation) confirms the nature of the XSS flaw. This vulnerability primarily threatens confidentiality and integrity, with no direct impact on availability.

The primary impact of CVE-2024-27757 is the compromise of user confidentiality and integrity through reflected XSS attacks. Attackers can steal session cookies, perform actions on behalf of authenticated users, or deliver malicious payloads leading to further compromise. Since the CMS is no longer maintained, organizations using flusity CMS face increased risk due to the absence of patches or security updates. This could lead to reputational damage, data breaches, and unauthorized access to sensitive web application functions. The vulnerability requires user interaction, which may limit widespread exploitation but targeted phishing or social engineering attacks could be effective. The scope change indicates that the vulnerability might affect other components or users beyond the immediate vulnerable parameter, potentially amplifying the impact. Organizations relying on this CMS for public-facing websites or internal portals are particularly vulnerable, especially if they handle sensitive or regulated data.

Given the cessation of flusity CMS development, organizations should prioritize migration to actively maintained and secure CMS platforms. In the interim, specific mitigations include: 1) Implementing strict input validation and output encoding on the Gallery Name parameter to neutralize malicious scripts. 2) Deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable endpoint. 3) Enforcing Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. 4) Educating users and administrators about phishing and social engineering risks to reduce successful exploitation via user interaction. 5) Monitoring web server logs and application behavior for suspicious requests or anomalies related to the vulnerable parameter. 6) If possible, disabling or restricting access to the vulnerable tools/addons_model.php functionality to limit exposure. These targeted actions can reduce risk while planning for long-term remediation through platform replacement.