CVE-2024-56175 is a stored cross-site scripting (XSS) vulnerability identified in Optimizely Configured Commerce versions before 5.2.2408. The root cause is client-side template injection in the handling of list item names, which allows attackers to inject malicious scripts that are stored on the server and later executed in the browsers of users who view the affected content. This vulnerability falls under CWE-79, indicating improper neutralization of input leading to XSS. The attack vector is network-based with low attack complexity, requiring no privileges but user interaction (e.g., a user viewing a maliciously crafted list item). The vulnerability impacts confidentiality and integrity by potentially exposing sensitive user data or enabling unauthorized actions via script execution, but it does not affect system availability. The scope is changed (S:C) because the vulnerability affects components beyond the vulnerable code itself, impacting users interacting with the application. No patches are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risk of insufficient input sanitization and template injection in client-side rendering contexts within e-commerce platforms.

The primary impact of CVE-2024-56175 is the potential compromise of user confidentiality and integrity through the execution of malicious scripts in users' browsers. This can lead to theft of session tokens, user credentials, or personal data, as well as unauthorized actions performed on behalf of users. For organizations, this can result in reputational damage, loss of customer trust, and potential regulatory penalties if sensitive data is exposed. Although availability is not directly impacted, the indirect effects of exploitation, such as account takeover or fraudulent transactions, can disrupt business operations. The vulnerability affects all users who interact with the compromised list items, potentially impacting a broad user base depending on the deployment scale of Optimizely Configured Commerce. Given the e-commerce context, attackers could leverage this vulnerability for fraud, phishing, or spreading malware, increasing the threat to organizations globally.

Organizations should immediately review their use of Optimizely Configured Commerce and plan to upgrade to version 5.2.2408 or later once patches are released. In the interim, implement strict input validation and sanitization on all user-supplied data, especially list item names, to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Regularly audit client-side templates and rendering logic to ensure no unsafe dynamic content injection occurs. Monitor application logs and user reports for suspicious activity indicative of attempted XSS exploitation. Educate developers on secure coding practices related to client-side templating and XSS prevention. Additionally, consider deploying web application firewalls (WAFs) with rules targeting XSS payloads to provide an additional layer of defense.