CVE-2024-45986 identifies a stored Cross-Site Scripting (XSS) vulnerability in Projectworld Online Voting System version 1.0. This vulnerability arises because the application fails to properly sanitize or encode user-supplied input during account registration. An attacker can inject malicious JavaScript payloads into the account registration fields. These payloads are stored persistently in the system and executed whenever the affected pages, voter.php and profile.php, are accessed to display account information. The vulnerability requires the attacker to have the ability to register an account (limited privileges) and relies on user interaction to trigger the malicious script execution. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. The vulnerability is classified under CWE-79, which corresponds to improper neutralization of input during web page generation leading to XSS. No patches or known exploits have been reported as of the publication date. The vulnerability could be exploited to steal session cookies, perform actions on behalf of users, or deface user profiles, potentially undermining voter trust and election integrity.

The primary impact of this vulnerability is on the confidentiality and integrity of user data within the Projectworld Online Voting System. An attacker exploiting this XSS flaw could execute arbitrary JavaScript in the context of other users, potentially stealing session tokens, manipulating displayed data, or conducting phishing attacks. This could lead to unauthorized actions being performed on behalf of legitimate users, undermining the integrity of the voting process. While availability is not directly affected, the reputational damage and loss of voter confidence could be significant. Organizations relying on this system for election management or voting processes face risks of manipulation or disruption of democratic processes. The medium CVSS score reflects the moderate ease of exploitation combined with limited but impactful consequences. The absence of known exploits in the wild suggests the threat is currently low but could increase if weaponized. The vulnerability also poses risks for compliance with data protection regulations if voter data confidentiality is compromised.

To mitigate CVE-2024-45986, organizations should implement strict input validation and output encoding on all user-supplied data, especially during account registration and when displaying account information on voter.php and profile.php pages. Employing a Content Security Policy (CSP) can help reduce the impact of injected scripts. Restricting account registration to verified users or implementing CAPTCHA challenges can reduce the risk of automated malicious registrations. Regular security code reviews and penetration testing focused on XSS vulnerabilities are recommended. If possible, isolate user-generated content from sensitive application contexts using sandboxing or iframe techniques. Monitoring logs for unusual account registrations or script execution attempts can provide early detection. Since no official patches are available, organizations should consider applying custom fixes or workarounds to sanitize inputs and outputs until an official update is released. Educating users about the risks of clicking suspicious links or interacting with untrusted content within the voting system can also reduce exploitation likelihood.