CVE-2024-37732 is a Cross Site Scripting (XSS) vulnerability identified in Anchor CMS version 0.12.7. This vulnerability arises from improper sanitization of input related to PDF file handling within the CMS, allowing a remote attacker to inject malicious scripts via a crafted PDF file. When a user interacts with the malicious PDF, the embedded script executes in the context of the victim's browser, enabling the attacker to perform arbitrary code execution. The vulnerability does not require any authentication or privileges, making it accessible to unauthenticated remote attackers. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. The attack vector is network-based with low attack complexity, but user interaction is necessary to trigger the exploit. This vulnerability falls under CWE-80, indicating a failure to properly neutralize script-related HTML tags in the input. No official patches or exploit code are currently available, but the risk remains significant due to the potential for session hijacking, data theft, or further system compromise. Anchor CMS users should monitor for updates and consider interim mitigations to reduce exposure.

The impact of CVE-2024-37732 is substantial for organizations using Anchor CMS 0.12.7. Successful exploitation can lead to full compromise of user sessions, theft of sensitive data, unauthorized actions performed on behalf of users, and potential spread of malware. The vulnerability affects confidentiality by exposing sensitive information, integrity by allowing unauthorized modifications, and availability by potentially enabling denial-of-service conditions through malicious scripts. Since the exploit requires user interaction, phishing or social engineering campaigns could be used to increase success rates. Organizations relying on Anchor CMS for web content management, especially those handling sensitive or personal data, face significant risks including reputational damage and regulatory consequences. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once details are public.

To mitigate CVE-2024-37732, organizations should first verify if they are running Anchor CMS version 0.12.7 and plan to upgrade to a patched version once available. In the absence of an official patch, implement strict input validation and sanitization on any uploaded or processed PDF files to prevent malicious script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Disable or restrict PDF file uploads if not required, or scan uploaded files with security tools to detect malicious content. Educate users about the risks of interacting with untrusted PDF files, especially those received via email or external sources. Monitor web server logs for unusual activity related to PDF handling. Additionally, consider deploying Web Application Firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense. Regularly review and update security configurations and maintain awareness of Anchor CMS security advisories.