CVE-2024-51506 is a stored cross-site scripting (XSS) vulnerability identified in Tiki CMS, a widely used open-source content management system, up to version 27.0. The vulnerability arises because users with certain elevated permissions can insert malicious JavaScript payloads into the description field when creating wiki pages. This stored XSS flaw (CWE-79) allows the injected script to persist in the application and execute in the browsers of other users who view the affected wiki pages. The CVSS 3.1 base score is 4.8, indicating medium severity, with the vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. This means the attack can be performed remotely over the network with low complexity but requires high privileges and user interaction (such as clicking a crafted link). The vulnerability impacts confidentiality and integrity by potentially allowing attackers to steal session tokens, perform actions on behalf of users, or manipulate displayed content. Availability is not impacted. No public exploits have been reported yet, and no patches are currently linked, suggesting the vulnerability is newly disclosed. The scope is 'changed' because the vulnerability affects resources beyond the attacker’s privileges once exploited. The vulnerability is significant in environments where multiple users collaborate using Tiki’s wiki features and where user permissions are not tightly controlled.

The primary impact of CVE-2024-51506 is the compromise of confidentiality and integrity within organizations using Tiki CMS for collaborative content management. Attackers with elevated permissions can inject malicious scripts that execute in other users’ browsers, potentially leading to session hijacking, unauthorized actions, or data manipulation. This can erode trust in the platform, cause data leakage, and facilitate further attacks such as privilege escalation or lateral movement. Since availability is unaffected, service disruption is unlikely. However, the requirement for elevated privileges limits the attack surface to insiders or compromised accounts, reducing but not eliminating risk. Organizations with large user bases or sensitive information managed via Tiki wiki pages are at higher risk. The lack of known exploits suggests limited immediate threat, but the vulnerability could be weaponized if exploited in targeted attacks. Overall, the impact is medium but could escalate if combined with other vulnerabilities or poor access controls.

To mitigate CVE-2024-51506, organizations should immediately review and tighten user permissions within Tiki CMS, ensuring only trusted users have rights to create or edit wiki pages. Implement strict role-based access control (RBAC) to minimize the number of users with elevated privileges. Monitor wiki page content for suspicious or unexpected scripts and enable logging to detect anomalous activities. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting Tiki CMS. Sanitize and validate all user inputs on the server side, especially in the wiki description fields, to prevent script injection. Stay alert for official patches or updates from Tiki CMS developers and apply them promptly once released. Educate users about the risks of clicking on suspicious links or content within the wiki environment. Consider isolating the wiki platform within a segmented network zone to limit potential lateral movement. Regularly audit the CMS environment for signs of compromise or misuse of privileges.