CVE-2024-29413 is a Cross Site Scripting (XSS) vulnerability identified in Webasyst version 2.9.9, specifically within the Instant messenger field of the Contact info function. This vulnerability allows a remote attacker to inject malicious scripts that execute in the context of a victim's browser. The attack vector requires the attacker to have limited privileges (PR:L) and necessitates user interaction (UI:R), such as clicking a crafted link or viewing a manipulated page. The vulnerability impacts confidentiality and integrity by potentially allowing theft of session tokens, user credentials, or manipulation of displayed content, but it does not affect system availability. The vulnerability scope is classified as changed (S:C), indicating that exploitation can affect resources beyond the vulnerable component. The CVSS 3.1 base score is 5.4, reflecting a medium severity level. No patches or known exploits are currently publicly available, but the vulnerability is documented under CWE-79, which covers improper neutralization of input leading to XSS. Organizations using Webasyst 2.9.9 should be aware that attackers could exploit this vulnerability to compromise user accounts or conduct phishing attacks within the affected application.

The primary impact of CVE-2024-29413 is on the confidentiality and integrity of user data within Webasyst installations. Successful exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. This could result in unauthorized access to sensitive information, manipulation of user data, or further compromise of the application environment. Although availability is not directly impacted, the breach of confidentiality and integrity can have significant operational and reputational consequences for organizations. The vulnerability requires user interaction and limited privileges, which somewhat reduces the attack surface but still poses a notable risk in environments with many users or where social engineering could be employed. Organizations relying on Webasyst for e-commerce or customer management may face increased risk of data breaches or fraud if this vulnerability is exploited.

1. Apply official patches or updates from Webasyst as soon as they become available to address CVE-2024-29413. 2. In the absence of patches, implement input validation and output encoding on the Instant messenger field to neutralize potentially malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application. 4. Educate users about the risks of interacting with untrusted links or input fields, especially within the Webasyst environment. 5. Monitor logs and user activity for unusual behavior that could indicate exploitation attempts. 6. Limit user privileges where possible to reduce the impact of compromised accounts. 7. Conduct regular security assessments and penetration testing focused on input handling and XSS vulnerabilities. 8. Consider deploying Web Application Firewalls (WAFs) with rules targeting XSS attack patterns to provide an additional layer of defense.