CVE-2024-45960 is a vulnerability identified in Zenario version 9.7.61188, a content management system, where authenticated administrators can upload PDF files containing embedded malicious code. These PDFs, when accessed through the website, can execute a Cross Site Scripting (XSS) attack against users viewing the content. The vulnerability arises because the system does not properly sanitize or validate the content of uploaded PDF files, allowing embedded scripts or malicious payloads to execute in the context of the victim's browser. The attack vector requires an attacker to have administrative privileges to upload the malicious PDF and for a user to interact with the file via the web interface, triggering the XSS. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating a failure to properly handle untrusted input leading to script injection. The CVSS v3.1 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable component. No patches or exploits are currently publicly available, but the risk remains due to the potential for privilege escalation and session hijacking through XSS.

The primary impact of CVE-2024-45960 is the potential compromise of confidentiality and integrity of user sessions and data through XSS attacks. An attacker with admin privileges can upload malicious PDFs that, when accessed by other users, can execute arbitrary scripts in their browsers. This can lead to theft of session cookies, defacement, or redirection to malicious sites. Although availability is not directly affected, the trustworthiness of the affected website can be severely damaged. Organizations relying on Zenario CMS for public-facing websites or intranet portals are at risk of targeted attacks, especially if admin accounts are compromised or insufficiently protected. The requirement for admin privileges limits the attack surface but insider threats or credential compromise can enable exploitation. The vulnerability could be leveraged in sophisticated attack chains to escalate privileges or move laterally within an organization’s network.

To mitigate CVE-2024-45960, organizations should immediately restrict administrative access to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Implement strict file upload validation on the server side to detect and block PDFs containing embedded scripts or suspicious content. Employ Content Security Policy (CSP) headers to limit the impact of potential XSS attacks by restricting script execution contexts. Regularly audit uploaded files and monitor web server logs for unusual access patterns to detect exploitation attempts. If possible, upgrade to a patched version of Zenario once available or apply vendor-recommended workarounds. Additionally, educate administrators about the risks of uploading untrusted files and encourage the use of sandboxed environments for testing content before publishing. Consider isolating the document viewer component or using third-party secure PDF rendering services that sanitize content before display.