CVE-2024-46654 is a stored cross-site scripting (XSS) vulnerability identified in the Add Scheduled Task module of Maccms10 version 2024.1000.4040. Stored XSS vulnerabilities occur when malicious input is saved by the application and later rendered in a web page without proper sanitization or encoding, allowing attackers to execute arbitrary JavaScript or HTML in the context of other users. In this case, the vulnerability resides specifically in the scheduled task addition functionality, where crafted payloads can be injected and persist within the system. The CVSS 3.1 vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). This suggests that attackers could potentially steal sensitive information or manipulate data within the application but cannot disrupt service availability. No patches or fixes have been published yet, and there are no known exploits in the wild. The vulnerability is classified under CWE-79, which is the standard classification for cross-site scripting issues. Given the requirement for authenticated high-privilege access and user interaction, exploitation is somewhat limited to insider threats or compromised accounts. However, if exploited, attackers could perform actions such as session hijacking, defacement, or injecting malicious scripts that affect other users or administrators.

The primary impact of CVE-2024-46654 is on the confidentiality and integrity of data within Maccms10 installations. Attackers who successfully exploit this vulnerability can execute arbitrary scripts in the context of other users, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of legitimate users. Since the vulnerability requires high privileges and user interaction, the risk is mitigated somewhat but remains significant in environments where multiple users have elevated access or where social engineering can be leveraged. Organizations relying on Maccms10 for media content management or streaming services could face reputational damage, data breaches, or unauthorized content manipulation. The lack of a patch increases the window of exposure, and attackers could develop exploits once the vulnerability details become widely known. The scope change in the CVSS vector indicates that the vulnerability could affect components beyond the immediate module, potentially increasing the attack surface. Overall, the threat could lead to targeted attacks against administrators or privileged users, undermining trust and security of the platform.

To mitigate CVE-2024-46654, organizations should first restrict access to the Add Scheduled Task module to only the most trusted and necessary users, minimizing the number of high-privilege accounts. Implement strict input validation and output encoding on all user-supplied data within the scheduled task module to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to reduce the impact of any injected scripts by restricting the sources from which scripts can be loaded. Monitor logs and user activity for unusual behavior, especially around scheduled task creation or modification. Since no official patch is available yet, consider applying virtual patching via Web Application Firewalls (WAFs) that can detect and block typical XSS payloads targeting this module. Educate privileged users about the risks of social engineering and the importance of cautious interaction with links or inputs that could trigger malicious scripts. Stay alert for vendor updates or patches and apply them promptly once released. Additionally, conduct regular security assessments and penetration testing focused on the scheduled task functionality to identify and remediate similar issues proactively.