CVE-2024-50803 identifies a Cross Site Scripting (XSS) vulnerability in the mediapool feature of the Redaxo Core CMS version 5.17.1. The mediapool feature, which likely handles media file management within the CMS, fails to properly sanitize user-supplied input, allowing injection of malicious scripts. This XSS vulnerability can be exploited remotely by an attacker with limited privileges (PR:L) and requires user interaction (UI:R), such as convincing a user to click a crafted link or visit a malicious page. The vulnerability has a scope of changed security context (S:C), meaning the attack can escalate privileges or affect other users beyond the attacker’s initial privileges. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), and impacts confidentiality and integrity partially (C:L/I:L), but does not affect availability (A:N). Although no known exploits are reported in the wild and no patches have been released, the vulnerability poses a risk of privilege escalation through XSS, potentially allowing attackers to execute arbitrary scripts in the context of other users or administrators, leading to unauthorized actions or data leakage within the CMS environment. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation.

The primary impact of CVE-2024-50803 is the potential for privilege escalation within Redaxo CMS environments, which can lead to unauthorized access to sensitive data and administrative functions. Successful exploitation could allow attackers to execute arbitrary JavaScript in the context of other users, potentially stealing session tokens, modifying content, or performing actions on behalf of higher-privileged users. This undermines the confidentiality and integrity of the CMS and its hosted content. Although availability is not directly impacted, the compromise of administrative privileges could lead to further attacks or persistent backdoors. Organizations relying on Redaxo CMS for web content management, especially those with multiple user roles and sensitive data, face increased risk of data breaches and unauthorized modifications. The lack of a patch increases exposure time, and the medium severity suggests a moderate but actionable threat. The requirement for user interaction and some privileges limits the attack surface but does not eliminate risk, especially in environments with many users or where social engineering is feasible.

To mitigate CVE-2024-50803, organizations should first monitor official Redaxo CMS channels for patches or updates addressing this vulnerability and apply them promptly once available. In the interim, administrators should restrict access to the mediapool feature to trusted users only and enforce the principle of least privilege to minimize the number of users with access rights that could be exploited. Implement Content Security Policy (CSP) headers to reduce the impact of XSS by restricting the execution of unauthorized scripts. Additionally, web application firewalls (WAFs) can be configured to detect and block suspicious input patterns targeting the mediapool feature. Educate users about the risks of clicking untrusted links or interacting with unknown content to reduce the likelihood of successful social engineering. Conduct regular security audits and code reviews focusing on input validation and output encoding in custom CMS extensions or plugins. Finally, consider isolating the CMS environment and monitoring logs for unusual activity indicative of exploitation attempts.