CVE-2024-58321 is a stored cross-site scripting (XSS) vulnerability identified in Kentico Xperience, a popular web content management system. The vulnerability arises from improper neutralization of input during web page generation, specifically through the form validation rule configuration interface. Attackers with low privileges can inject malicious JavaScript code into these validation rules, which are then stored and rendered in web pages viewed by other users. When victims access the affected pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The vulnerability does not require authentication to exploit but does require some level of privilege (PR:L) to configure validation rules, and user interaction (UI:P) to trigger the malicious script. The CVSS 4.0 base score is 5.1, reflecting medium severity due to the moderate impact on confidentiality and integrity, limited impact on availability, and the ease of exploitation given low complexity and no need for advanced privileges. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on Kentico Xperience for managing web content, especially those with public-facing forms and interactive user input. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies to prevent exploitation.

For European organizations, this vulnerability could lead to unauthorized execution of malicious scripts in users' browsers, compromising user data confidentiality and integrity. Attackers could steal session cookies, perform actions on behalf of users, or redirect users to malicious sites, potentially damaging organizational reputation and leading to regulatory non-compliance under GDPR. Public-facing websites and portals using Kentico Xperience are particularly vulnerable, increasing the risk of widespread exploitation. The medium severity indicates moderate risk, but the potential for targeted attacks against high-value users or administrators could escalate impact. Additionally, compromised user sessions could facilitate further lateral movement or data exfiltration within affected organizations. The vulnerability's exploitation could disrupt trust in digital services and lead to financial and legal consequences for European entities.

Organizations should immediately audit and restrict access to form validation rule configurations within Kentico Xperience to trusted administrators only. Implement strict input validation and sanitization on all user-configurable fields, especially those related to form validation rules. Deploy Content Security Policies (CSP) to limit the execution of unauthorized scripts in browsers. Monitor web application logs for unusual changes to validation rules or unexpected script injections. Until official patches are released, consider disabling or limiting form validation rule customization features if feasible. Educate administrators and developers about secure coding practices and the risks of stored XSS. Regularly update Kentico Xperience installations and subscribe to vendor security advisories to apply patches promptly once available. Employ web application firewalls (WAFs) with rules targeting XSS payloads as an additional protective layer.