Cyber Resilience

CVE-2024-53255

MediumPublic PoC

Published: 25 November 2024

Published
25 November 2024
Modified
07 May 2025
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2880 96.7th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53255 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Boidcms Boidcms. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

BoidCMS, a PHP-based flat-file CMS that stores data in JSON, contains a reflected cross-site scripting vulnerability in the file parameter of the /admin?page=media endpoint. The flaw, tracked as CVE-2024-53255 and assigned CWE-79, permits injection of arbitrary JavaScript into responses returned to users of the administrative interface and affects all versions prior to 2.1.2.

An unauthenticated attacker can supply a crafted URL containing malicious script in the file parameter; when an administrator follows the link, the script executes in the browser context with the victim's privileges. Successful exploitation can result in theft of session cookies, phishing overlays, or site defacement, consistent with the CVSS 5.3 rating that reflects network attack vector, low complexity, and user interaction requirements.

The official GitHub Security Advisory GHSA-7q7m-cgw8-px4r and the associated commit 42f4d703a87f5199bbd701b3495a26c91b9cfab7 state that the vulnerability is resolved in release 2.1.2 and that no workarounds exist, directing all users to upgrade. The EPSS score reached a peak of 0.3405 with a current value of 0.2880, indicating moderate and relatively stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

BoidCMS is a free and open-source flat file CMS for building simple websites and blogs, developed using PHP and uses JSON as a database. In affected versions a reflected Cross-site Scripting (XSS) vulnerability exists in the /admin?page=media endpoint in the…

more

file parameter, allowing an attacker to inject arbitrary JavaScript code. This code could be used to steal the user's session cookie, perform phishing attacks, or deface the website. This issue has been addressed in version 2.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

boidcms
boidcms
≤ 2.1.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

References