CVE-2024-58322 is a stored cross-site scripting vulnerability identified in the Kentico Xperience platform, specifically within the shipping options configuration module. This vulnerability arises due to improper neutralization of input during web page generation, allowing attackers to inject malicious JavaScript code that is stored persistently and executed in the browsers of users who access the affected configuration pages. The flaw enables attackers to perform actions such as stealing session cookies, capturing sensitive user data, or performing unauthorized actions on behalf of the victim. The vulnerability has a CVSS 4.0 base score of 5.1, indicating medium severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, but user interaction is necessary. The impact on confidentiality and integrity is limited but present, while availability impact is negligible. No known exploits have been reported in the wild yet, but the vulnerability poses a risk especially in environments where multiple users manage shipping configurations or where customers interact with these configurations. The affected versions are not explicitly detailed, but organizations running Kentico Xperience should assume exposure until patches are released. The vulnerability highlights the importance of proper input validation and output encoding in web applications to prevent XSS attacks.

For European organizations, the impact of CVE-2024-58322 can be significant in sectors relying on Kentico Xperience for e-commerce and content management, particularly those with customer-facing shipping configuration interfaces. Exploitation could lead to theft of sensitive customer data, including personal information and session tokens, potentially resulting in account compromise or fraud. This can damage customer trust, lead to regulatory penalties under GDPR for data breaches, and cause financial losses. The medium severity suggests that while the vulnerability is not critical, it still poses a tangible risk, especially in high-traffic web environments. Organizations with multiple administrators or users managing shipping options are at higher risk due to the stored nature of the XSS. Additionally, attackers could use the vulnerability as a foothold for further attacks within the network. The absence of known exploits currently provides a window for proactive mitigation.

1. Immediately review and sanitize all inputs related to shipping options configuration to ensure proper encoding and neutralization of potentially malicious scripts. 2. Apply any available patches or updates from Kentico as soon as they are released. 3. Implement strict Content Security Policies (CSP) to restrict the execution of unauthorized scripts in browsers. 4. Limit access to the shipping options configuration interface to trusted administrators and enforce strong authentication and authorization controls. 5. Conduct regular security audits and penetration testing focusing on input validation and stored XSS vulnerabilities. 6. Educate administrators and users about the risks of XSS and encourage vigilance for suspicious behavior or unexpected page content. 7. Monitor web application logs and user activity for signs of exploitation attempts or unusual script injections. 8. Consider deploying web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting Kentico Xperience.