CVE-2024-30953 is a stored cross-site scripting (XSS) vulnerability identified in Htmly version 2.9.5, a content management system used for website creation and management. The vulnerability arises from insufficient input sanitization in the Menu Editor module, specifically in the Link Name parameter. An attacker can craft a malicious payload containing executable JavaScript or HTML and inject it into this parameter. When a legitimate user views the affected menu, the malicious script executes in their browser context, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or manipulate page content. The vulnerability requires no authentication but does require user interaction, such as visiting a page with the injected payload. The CVSS 3.1 score of 6.1 reflects medium severity, with network attack vector, low attack complexity, no privileges required, and user interaction needed. The impact scope is changed (S:C) indicating the vulnerability affects resources beyond the vulnerable component. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and should be addressed promptly. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation, a common vector for XSS attacks.

The primary impact of CVE-2024-30953 is on the confidentiality and integrity of affected web applications and their users. Successful exploitation can lead to theft of sensitive user information such as session tokens, enabling account hijacking or unauthorized actions. It may also facilitate phishing attacks by modifying page content to deceive users. Although availability is not directly affected, the trustworthiness of the website can be compromised, potentially damaging organizational reputation. For organizations relying on Htmly CMS, this vulnerability could expose their user base to targeted attacks, especially if administrative or authenticated user sessions are compromised. The medium severity and requirement for user interaction limit the scope somewhat, but the ease of exploitation without authentication increases risk. Organizations with public-facing Htmly-powered sites are particularly vulnerable, and attackers could leverage this flaw to gain footholds for further attacks or lateral movement within networks.

To mitigate CVE-2024-30953, organizations should implement strict input validation and output encoding on the Link Name parameter within the Menu Editor module to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web application logs for unusual input patterns or repeated injection attempts. Until an official patch is released, consider disabling or restricting access to the Menu Editor module for untrusted users. Regularly update Htmly CMS to the latest versions once patches addressing this vulnerability become available. Additionally, educate users about the risks of clicking suspicious links and ensure that web application firewalls (WAFs) are configured to detect and block XSS payloads targeting this parameter. Conduct security testing and code reviews focusing on input sanitization to prevent similar vulnerabilities.