CVE-2024-57772 identifies a cross-site scripting (XSS) vulnerability in the JFinalOA enterprise office automation software, specifically in the /bumph/getDraftListPage?type interface. This vulnerability exists in versions prior to 2025.01.01 and allows attackers to inject and execute arbitrary web scripts or HTML content. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires the attacker to have high privileges (PR:H) and user interaction (UI:R). The vulnerability impacts confidentiality and integrity by potentially allowing attackers to steal sensitive information or manipulate web content within the affected application context. The scope is changed (S:C), indicating that exploitation could affect resources beyond the initially vulnerable component. No patches or exploits are currently publicly available, and no known active exploitation has been reported. The vulnerability is classified under CWE-79, a common weakness related to improper neutralization of input during web page generation. The CVSS v3.1 base score is 4.8, reflecting a medium severity level. The absence of patches necessitates cautious mitigation strategies until official fixes are released.

The primary impact of CVE-2024-57772 is on the confidentiality and integrity of data handled by JFinalOA systems. Successful exploitation could allow attackers to execute malicious scripts, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of legitimate users. Since the vulnerability requires high privileges and user interaction, the risk is somewhat mitigated but remains significant in environments where privileged users access the vulnerable interface. The vulnerability does not affect system availability directly. Organizations relying on JFinalOA for internal office automation and document management could face data breaches or manipulation of critical workflows. The lack of known exploits reduces immediate risk, but the presence of this vulnerability in enterprise software used in business-critical environments worldwide means that attackers might develop exploits in the future, increasing the threat landscape.

Until an official patch is released, organizations should implement strict input validation and output encoding on the /bumph/getDraftListPage?type interface to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. Limit access to the vulnerable interface strictly to trusted and necessary users, reducing the attack surface. Monitor logs for unusual activity or attempts to inject scripts. Educate privileged users about the risks of interacting with suspicious links or payloads. Once a patch becomes available, prioritize its deployment across all affected systems. Additionally, conduct regular security assessments and penetration testing focused on web application vulnerabilities to detect similar issues proactively.