CVE-2024-39174 is a reflected or stored cross-site scripting (XSS) vulnerability identified in the Publish Article function of the content management system yzmcms version 7.1. The vulnerability arises because the application fails to properly sanitize or encode user-supplied input when publishing articles, allowing attackers to inject malicious JavaScript or HTML code. When a victim views the compromised article, the injected script executes within their browser context, potentially stealing session cookies, performing actions on behalf of the user, or redirecting to malicious sites. The vulnerability requires no authentication (AV:N) and has low attack complexity (AC:L), but user interaction is necessary (UI:R) as the victim must load the malicious article. The scope is changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting confidentiality and integrity (C:L/I:L) but not availability (A:N). The CVSS 3.1 base score is 6.1, reflecting a medium severity. No patches or known exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. This vulnerability is classified under CWE-79, a common and well-understood web security issue.

The primary impact of CVE-2024-39174 is on the confidentiality and integrity of users interacting with the vulnerable yzmcms platform. Successful exploitation can lead to session hijacking, credential theft, or unauthorized actions performed in the context of the victim’s browser session. This can compromise user accounts, lead to defacement of published content, or facilitate further attacks such as phishing or malware distribution. For organizations, this can result in reputational damage, loss of user trust, and potential regulatory consequences if sensitive data is exposed. Since the vulnerability does not affect availability, denial-of-service is not a direct concern. However, the ease of exploitation without authentication and the widespread use of CMS platforms for publishing content make this a significant risk, especially for websites with high traffic or sensitive user bases.

To mitigate CVE-2024-39174, organizations should implement strict input validation and output encoding on all user-supplied content in the Publish Article function. Employing a whitelist approach for allowed HTML tags and attributes can reduce injection risks. Use security libraries or frameworks that automatically handle XSS protection. Content Security Policy (CSP) headers should be configured to restrict script execution sources. Regularly audit published content for suspicious scripts or anomalies. Since no official patch is currently available, consider temporarily disabling or restricting article publishing capabilities to trusted users only. Monitor web logs for unusual payloads or repeated attempts to inject scripts. Educate content creators and administrators about the risks of injecting untrusted code. Finally, stay updated with vendor advisories for any forthcoming patches or fixes.