CVE-2024-58304 is a stored cross-site scripting vulnerability identified in SPA-CART CMS version 1.9.0.3, specifically affecting the 'descr' parameter used in the product description field within the product edit form. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an attacker with authenticated administrator access to inject malicious JavaScript payloads. When an administrator views or interacts with the affected product description, the injected script executes in their browser context, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the CMS. The vulnerability does not require prior privileges or user interaction beyond authenticated access, and the attack vector is network-based with low complexity. The CVSS 4.0 vector indicates no privileges required (PR:N), no authentication required (AT:N), but user interaction is required (UI:P), with low impact on confidentiality and integrity but limited availability impact. Although no public exploits are currently known, the vulnerability poses a significant risk due to the administrative context of the affected users. SPA-CART CMS is a content management system used for e-commerce platforms, and compromise of administrative accounts can lead to full control over the online storefront, data leakage, or further malware deployment.

For European organizations, exploitation of this vulnerability could lead to compromise of administrative accounts managing e-commerce platforms, resulting in unauthorized modification of product listings, theft of sensitive customer data, or insertion of malicious content affecting customers. This can damage brand reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data breaches), and cause financial losses through fraud or downtime. Since the vulnerability requires authenticated administrator access, the risk is heightened in environments with weak credential management or insufficient access controls. Attackers leveraging this vulnerability could pivot to other internal systems or conduct supply chain attacks via compromised CMS infrastructure. The medium CVSS score reflects moderate impact, but the strategic importance of e-commerce platforms in Europe amplifies the potential consequences.

Organizations should immediately audit and restrict administrator access to SPA-CART CMS, ensuring strong authentication mechanisms such as multi-factor authentication (MFA) are enforced. Input validation and output encoding should be implemented or enhanced on the 'descr' parameter to neutralize malicious scripts. Since no official patch is currently available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting the product description field. Regularly monitor administrative activity logs for anomalous behavior indicative of exploitation attempts. Educate administrators on the risks of XSS and safe handling of product descriptions. Where feasible, isolate the CMS administration interface behind VPNs or IP whitelisting to reduce exposure. Plan for timely patching once a vendor fix is released and test updates in a staging environment before production deployment.