A critical vulnerability has been identified in multiple products, allowing attackers to execute malicious code within a user's browser through two distinct cross-site scripting (XSS) attacks. Successful exploitation could lead to session hijacking, credential theft, or the delivery of further malware, posing a significant risk to the confidentiality and integrity of user data and the affected web application.

This CVE encompasses two separate cross-site scripting vulnerabilities:

1. Reflected XSS: An authenticated user can be tricked into clicking a specially crafted URL. When the user interacts with the news comment form on the news.php page (specifically, by typing in the comment field and then clicking outside of it), malicious JavaScript code embedded in the URL parameter is executed in their browser.
2. Stored XSS via File Upload: An authenticated administrator can bypass file upload restrictions in the media manager's remote URL upload feature (image.php). This allows the administrator to upload a Scalable Vector Graphics (SVG) file containing malicious JavaScript. When any user subsequently views or accesses this malicious SVG file, the embedded script executes in their browser, leading to a stored XSS attack.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation can have severe consequences for the business, including the compromise of user and administrator accounts through session hijacking and credential theft. This could lead to unauthorized access to sensitive data, website defacement, distribution of malware to visitors, and reputational damage. An attacker gaining administrator-level access could potentially pivot to compromise the underlying server and other internal network resources, escalating the incident from a web application breach to a full network compromise.

Immediate Action: Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.

Proactive Monitoring:

• Review web server access logs for unusual or lengthy URL parameters targeting news.php, which may indicate reflected XSS attempts.
• Monitor media manager and server file system logs for the upload of SVG files, particularly through the remote URL upload feature.
• Implement and monitor alerts from a Web Application Firewall (WAF) for XSS attack signatures and unauthorized file type uploads.

Compensating Controls:

• If immediate patching is not feasible, implement a WAF with strict XSS filtering rules to block malicious requests.
• Enforce a strong Content Security Policy (CSP) to prevent the execution of untrusted inline scripts and scripts from unauthorized sources.
• Disable the remote URL file upload feature within the media manager or restrict its use to highly trusted administrators.
• Configure the web server to serve all user-uploaded files, including SVGs, with a Content-Type header (e.g., text/plain) that prevents them from being rendered as active content by browsers.

Public Exploit Available: false

Given the critical CVSS score of 9.8, it is strongly recommended that organizations patch all affected systems immediately. The combination of both reflected and stored XSS vectors provides attackers with multiple avenues for exploitation against different user privilege levels. Although there is no evidence of active exploitation at this time, the high severity rating makes it a probable target for future threat actor activity. If patching cannot be performed immediately, the compensating controls listed above, particularly the use of a WAF and a restrictive Content Security Policy, should be implemented as a matter of urgency.