CVE-2024-54305 is a reflected Cross-site Scripting (XSS) vulnerability identified in the jt-express product of J&T Express Malaysia, affecting versions up to and including 2.0.13. The flaw stems from improper neutralization of input during web page generation, which allows attackers to inject malicious JavaScript code into web pages viewed by other users. When a victim accesses a crafted URL containing malicious payloads, the injected script executes within their browser context. This can lead to theft of session cookies, user credentials, or other sensitive information, as well as unauthorized actions performed on behalf of the user. The vulnerability does not require prior authentication, increasing its risk profile, and does not currently have any reported active exploitation in the wild. However, reflected XSS vulnerabilities are commonly exploited via phishing or social engineering to lure users into clicking malicious links. The absence of a CVSS score indicates the need for a severity assessment based on potential impact and exploitability. The vulnerability affects the web interface of J&T Express Malaysia, a logistics and parcel delivery service widely used in Malaysia and neighboring countries. The technical root cause is insufficient input validation or output encoding in the web application code, which fails to sanitize user-supplied data before embedding it into HTML responses. This type of vulnerability is a classic web security issue and can be mitigated by proper input validation, output encoding, and implementing Content Security Policy (CSP) headers.

The primary impact of CVE-2024-54305 is on the confidentiality and integrity of user data accessed through the J&T Express Malaysia web platform. Attackers exploiting this vulnerability can execute arbitrary scripts in victims' browsers, potentially stealing session tokens, login credentials, or personal information. This can lead to unauthorized account access, fraudulent transactions, or further compromise of user systems. Additionally, attackers may redirect users to malicious websites or perform actions on behalf of users without their consent, damaging the reputation of the affected organization. For businesses relying on J&T Express Malaysia's platform, this can result in loss of customer trust, regulatory penalties related to data breaches, and operational disruptions. Although availability is less directly impacted, widespread exploitation could lead to service degradation or increased support costs. The lack of authentication requirement and ease of exploitation through crafted URLs make this vulnerability particularly dangerous, especially in phishing campaigns targeting customers or employees. Organizations worldwide using or integrating with J&T Express Malaysia services are at risk, with Southeast Asian countries being the most affected due to market penetration.

To mitigate CVE-2024-54305, organizations should immediately update the jt-express product to a version patched by the vendor once available. In the absence of an official patch, implement strict input validation on all user-supplied data to ensure it does not contain executable code or script tags. Employ context-aware output encoding (e.g., HTML entity encoding) when rendering user inputs in web pages to prevent script execution. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Additionally, enable HTTP-only and Secure flags on cookies to protect session tokens from theft via script access. Conduct thorough security testing, including automated and manual penetration testing, focusing on input handling and output encoding. Educate users and employees about phishing risks and encourage cautious behavior when clicking on links. Monitor web traffic and logs for suspicious requests that may indicate exploitation attempts. Finally, consider implementing Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the affected endpoints.