CVE-2024-54451 is a cross-site scripting (XSS) vulnerability identified in the Kurmi Provisioning Suite, a software product used for managing telecommunication services and network provisioning. The vulnerability specifically affects the graphicCustomization.do page in versions before 7.9.0.38, 7.10.x through 7.10.0.18, and 7.11.x through 7.11.0.15. The issue arises because the COMPONENT_fields(htmlTitle) parameter accepts input from authenticated system administrators without proper sanitization or encoding. When a super-administrator enables graphical customization, the injected malicious HTML or JavaScript is rendered on other pages viewed by all users, potentially including lower-privileged users. This cross-site scripting flaw allows attackers with administrative privileges to execute arbitrary scripts in the context of other users’ browsers, potentially leading to session hijacking, unauthorized actions, or data exposure. However, exploitation requires the attacker to be authenticated as a system administrator and for the graphical customization feature to be activated, which limits the attack vector. The CVSS v3.1 base score is 4.8 (medium), reflecting the need for high privileges and user interaction. No public exploits or patches are currently reported, but the vulnerability is documented and published as of December 2024.

The primary impact of CVE-2024-54451 is the potential for cross-site scripting attacks that could compromise the confidentiality and integrity of user sessions within the Kurmi Provisioning Suite environment. Since the vulnerability requires authenticated system administrator access, the risk of external attackers exploiting this flaw directly is low. However, insider threats or compromised administrator accounts could leverage this vulnerability to inject malicious scripts that affect other users, potentially leading to session hijacking, unauthorized commands, or information disclosure. The availability impact is negligible as the vulnerability does not enable denial of service. Organizations relying on Kurmi Provisioning Suite for critical telecom provisioning and network management may face operational risks if attackers manipulate the interface or steal credentials. The scope of affected systems is limited to installations using the vulnerable versions with graphical customization enabled, but the impact on affected organizations could be significant due to the privileged nature of the software and the sensitive data it manages.

To mitigate CVE-2024-54451, organizations should implement the following specific measures: 1) Upgrade Kurmi Provisioning Suite to versions 7.9.0.38 or later, 7.10.0.19 or later, or 7.11.0.16 or later once patches are released by the vendor. 2) Until patches are available, restrict system administrator access strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3) Disable the graphical customization feature if it is not essential, as this reduces the attack surface by preventing the rendering of injected scripts. 4) Conduct regular audits of administrator activities and monitor logs for suspicious input or changes to the COMPONENT_fields(htmlTitle) parameter. 5) Implement web application firewall (WAF) rules to detect and block suspicious script injections targeting the graphicCustomization.do page. 6) Educate administrators about the risks of injecting arbitrary HTML or scripts and enforce input validation policies. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and usage context.