CVE-2024-33297 is a medium-severity Cross Site Scripting (XSS) vulnerability affecting Microweber version 2.0.9, a content management system used for website and campaign management. The vulnerability arises from insufficient input sanitization in the 'campaign Name (Internal Name)' field within the 'Add new campaign' functionality. An attacker with authenticated access and high privileges can inject malicious scripts into this field, which could be executed in the context of other users viewing or managing campaigns. This can lead to arbitrary code execution in the victim's browser, potentially enabling session hijacking, defacement, or further attacks on the application or users. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), but requires privileges (PR:H) and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is limited but non-negligible, as the attacker must already have elevated access. No public exploits or patches are currently available, and the vulnerability was reserved in April 2024 and published in January 2025. This vulnerability is classified under CWE-79, highlighting improper neutralization of input leading to XSS.

The primary impact of CVE-2024-33297 is the potential for attackers with high privileges to execute arbitrary scripts within the Microweber CMS environment. This can compromise user sessions, steal sensitive information, or manipulate campaign data. While the vulnerability requires authenticated access, it can still lead to privilege escalation or lateral movement if exploited in conjunction with other vulnerabilities. Organizations relying on Microweber for marketing campaigns or website management may face reputational damage, data integrity issues, or unauthorized access to internal resources. The absence of known exploits reduces immediate risk, but the medium severity score indicates that exploitation could disrupt normal operations or lead to data leakage. The vulnerability's scope is limited to environments where Microweber 2.0.9 is deployed and where multiple users have campaign creation privileges.

To mitigate CVE-2024-33297, organizations should implement strict input validation and sanitization on the 'campaign Name (Internal Name)' field to prevent script injection. Until an official patch is released, restrict campaign creation privileges to trusted users only and monitor logs for suspicious activity related to campaign creation. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution sources. Conduct regular security audits and penetration tests focusing on input fields in Microweber. Additionally, educate users about the risks of XSS and ensure that all software components are kept up to date once patches become available. Consider isolating the Microweber environment or using web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting this vulnerability.