CVE-2024-52951 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, discovered in Omada Identity software versions prior to 15 update 1. This vulnerability arises from insufficient input sanitization in the Access Request History feature, allowing an authenticated attacker to inject malicious JavaScript code that is persistently stored and later executed in the browsers of users who access the manipulated history records. The attack vector requires the attacker to be authenticated within the system and to either trick a victim into clicking a specially crafted link or rely on the victim viewing the compromised Access Request History page. The CVSS v3.1 score of 8.0 reflects a high severity due to the network attack vector, low attack complexity, required privileges, and user interaction. The impact includes full compromise of the victim’s browser session, potential theft of sensitive information, session hijacking, and possible further exploitation of the victim’s environment. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to organizations relying on Omada Identity for identity and access management. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies.

The vulnerability can lead to severe consequences for organizations worldwide using Omada Identity, including unauthorized access to sensitive identity and access management data, session hijacking, and lateral movement within networks. The ability to execute arbitrary code in user browsers compromises confidentiality and integrity of user sessions and data, potentially enabling attackers to escalate privileges or deploy further attacks such as credential theft or malware delivery. Availability may also be impacted if attackers disrupt normal operations by injecting disruptive scripts. Given the critical role of identity management platforms in enterprise security, exploitation could undermine trust in authentication processes and lead to broader security breaches. The requirement for authentication and user interaction somewhat limits the attack scope but does not eliminate risk, especially in environments with many users and frequent access to the affected feature.

Organizations should prioritize upgrading Omada Identity to version 15 update 1 or later once available to eliminate the vulnerability. Until patches are released, administrators should restrict access to the Access Request History feature to only trusted users and monitor for unusual activity indicative of exploitation attempts. Implementing strict input validation and output encoding on all user-supplied data in the Access Request History can reduce risk. Additionally, deploying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Security teams should educate users about the risks of clicking suspicious links and encourage cautious behavior. Regularly auditing logs for anomalous access patterns and employing web application firewalls (WAFs) with rules targeting XSS attacks may provide temporary protection. Finally, organizations should prepare incident response plans specific to XSS exploitation scenarios to minimize damage if an attack occurs.