CVE-2024-57774 is a cross-site scripting (XSS) vulnerability identified in the getBusinessUploadListPage?busid interface of JFinalOA, an enterprise office automation platform. The vulnerability exists because the application fails to properly sanitize or encode user-supplied input in the 'busid' parameter, allowing attackers to inject malicious scripts or HTML content. When an authenticated user with high privileges interacts with the vulnerable interface, the injected scripts can execute in the context of the victim’s browser session. This can lead to unauthorized actions such as stealing session cookies, defacing web content, or performing actions on behalf of the user. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. The CVSS v3.1 vector indicates network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Confidentiality and integrity impacts are low, while availability is unaffected. No known public exploits or patches are currently available, but the vulnerability was published on January 16, 2025, with a medium severity rating and a CVSS score of 4.8.

The primary impact of CVE-2024-57774 is on the confidentiality and integrity of data within JFinalOA deployments. Exploitation could allow attackers to execute arbitrary scripts in the context of authenticated users, potentially leading to session hijacking, unauthorized data access, or manipulation of user interface elements. Although the attack requires high privileges and user interaction, successful exploitation could facilitate lateral movement or privilege escalation within an organization’s internal network. This risk is particularly relevant for organizations relying heavily on JFinalOA for business operations, as compromised sessions could expose sensitive corporate information or disrupt workflows. The absence of known exploits reduces immediate risk, but the vulnerability remains a concern for organizations with delayed patching cycles. Given the medium CVSS score, the threat is moderate but should not be ignored, especially in environments with high-value targets or sensitive data.

To mitigate CVE-2024-57774, organizations should first verify if their JFinalOA deployment is running a version prior to 2025.01.01 and plan to upgrade to the latest version once available. In the absence of an official patch, implement input validation and output encoding on the 'busid' parameter to neutralize malicious scripts. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the vulnerable interface. Restrict access to the getBusinessUploadListPage interface to only trusted, necessary users and monitor logs for unusual activity. Educate users about the risks of interacting with untrusted links or payloads within the application. Additionally, enforce the principle of least privilege to limit the number of users with high privileges, reducing the attack surface. Regularly review and update security policies and incident response plans to address potential XSS exploitation scenarios.