CVE-2024-51509 is a stored cross-site scripting (XSS) vulnerability affecting Tiki CMS versions through 27.0. The vulnerability exists in the 'Modules' administration page (tiki-admin_modules.php), where users with specific permissions can insert malicious JavaScript payloads into the 'Name' field of modules. Because this input is stored and later rendered without proper sanitization or output encoding, the malicious script executes in the browser context of other users who view the module list or related pages. This stored XSS can lead to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim user. The vulnerability requires the attacker to have authenticated access with elevated privileges (high privileges) and some user interaction to trigger the payload. The CVSS v3.1 vector is AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, high privileges required, user interaction required, scope changed, and low confidentiality and integrity impacts with no availability impact. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The CWE classification is CWE-79, which corresponds to improper neutralization of input during web page generation leading to XSS. This vulnerability highlights the risk of insufficient input validation and output encoding in administrative interfaces of web applications, especially those that allow user-generated content to be stored and rendered.

The impact of CVE-2024-51509 primarily affects the confidentiality and integrity of user sessions and data within Tiki CMS environments. An attacker with elevated permissions can inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, performing actions on behalf of users, or defacing the administrative interface. While availability is not impacted, the compromise of administrative accounts or session hijacking can lead to further unauthorized access or data manipulation. Organizations relying on Tiki CMS for content management, especially those with multiple administrators or editors, face risks of insider threats or attackers leveraging compromised credentials to exploit this vulnerability. The scope is limited to environments where users have high privileges, but the potential for lateral movement and privilege escalation within the CMS or connected systems increases the threat. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for prompt remediation, as stored XSS vulnerabilities are commonly targeted once disclosed.

To mitigate CVE-2024-51509, organizations should first verify if they are running Tiki CMS versions up to 27.0 and identify users with permissions to modify modules. Immediate mitigation steps include restricting module management permissions to only trusted administrators and monitoring for suspicious activity in the CMS logs. Since no official patch is currently linked, applying manual input validation and output encoding on the 'Name' field in the modules administration page is recommended to prevent script injection. Employing Content Security Policy (CSP) headers can help reduce the impact of XSS by restricting script execution sources. Additionally, enforcing multi-factor authentication (MFA) for administrative accounts reduces the risk of credential compromise. Regularly auditing user permissions and conducting security assessments of the CMS environment will help detect and prevent exploitation. Organizations should monitor official Tiki CMS channels for patches or updates addressing this vulnerability and apply them promptly once available.