CVE-2024-30950 is a stored cross-site scripting (XSS) vulnerability identified in FUDforum version 3.1.3, an open-source forum software. The flaw exists in the /adm/admsql.php administrative interface, specifically in the SQL statements input field, where insufficient input sanitization allows an attacker to inject arbitrary web scripts or HTML. This vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation). Exploitation requires the attacker to have administrative privileges (PR:H) and user interaction (UI:R), as the malicious payload must be submitted through the admin interface. The attack vector is network-based (AV:N), and the vulnerability affects confidentiality and integrity but does not impact availability. The CVSS v3.1 base score is 3.5, reflecting low severity due to the high privilege requirement and the need for user interaction. No public exploits or patches are currently available, indicating limited active exploitation. However, successful exploitation could allow an attacker to execute scripts in the context of the admin user’s browser session, potentially leading to session hijacking, defacement, or further administrative compromise. The vulnerability highlights the importance of proper input validation and output encoding in administrative modules of web applications.

The primary impact of CVE-2024-30950 is on the confidentiality and integrity of the affected FUDforum installations. An attacker with administrative access could inject malicious scripts that execute in the context of other administrators’ browsers, potentially stealing session tokens, manipulating forum content, or performing unauthorized actions. Although the vulnerability does not affect availability, the compromise of administrative accounts could lead to broader system misuse or data leakage. Organizations relying on FUDforum for community engagement or internal communication may face reputational damage and loss of trust if exploited. The requirement for high privileges and user interaction limits the attack surface, reducing the likelihood of widespread exploitation. Nonetheless, targeted attacks against organizations with poorly secured administrative access could be successful, especially if combined with social engineering or credential compromise.

To mitigate CVE-2024-30950, organizations should immediately restrict access to the /adm/admsql.php administrative interface to trusted personnel only, ideally via network segmentation or VPN access. Implement strict input validation and output encoding on all fields accepting user input, especially the SQL statements field, to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the admin interface. Monitor administrative logs for unusual activity or unexpected input submissions. Since no official patch is currently available, consider applying custom filters or web application firewall (WAF) rules to detect and block XSS payloads targeting this endpoint. Regularly update FUDforum installations and subscribe to vendor advisories for forthcoming patches. Educate administrators on the risks of executing untrusted inputs and the importance of secure credential management to prevent privilege escalation.