CVE-2024-45964 – Zenario 9.7.61188 contains a reflected cross-si... (How to Fix)

Q: What is the severity of CVE-2024-45964?

CVE-2024-45964 has a CVSS score of 4.8 (MEDIUM). Zenario 9.7.61188 contains a reflected cross-site scripting (XSS) vulnerability in the Image library's 'Organizer tags' field. This allows attackers to inject malicious scripts that execute in victims' browsers when they interact with the vulnerable component. Users of Zenario CMS version 9.7.61188 are affected.

📋 TL;DR

Zenario 9.7.61188 contains a reflected cross-site scripting (XSS) vulnerability in the Image library's 'Organizer tags' field. This allows attackers to inject malicious scripts that execute in victims' browsers when they interact with the vulnerable component. Users of Zenario CMS version 9.7.61188 are affected.

💻 Affected Systems

Products:

Zenario CMS

Versions: 9.7.61188

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the Image library component with Organizer tags functionality enabled.

📦 What is this software?

Zenario by Tribalsystems

View all CVEs affecting Zenario →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or deface the application interface.

🟠

Likely Case

Session hijacking, credential theft, or limited client-side attacks against users who interact with the vulnerable field.

🟢

If Mitigated

Minimal impact if input validation and output encoding are properly implemented, or if users have script-blocking browser extensions.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction with the vulnerable field. The Medium article demonstrates proof-of-concept.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

1. Monitor Zenario vendor announcements for patches. 2. Apply security updates when available. 3. Test in staging environment before production deployment.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and HTML encoding for the Organizer tags field.

Content Security Policy

all

Implement strict CSP headers to mitigate XSS impact.

Content-Security-Policy: default-src 'self'; script-src 'self'

🧯 If You Can't Patch

Disable or restrict access to the Image library Organizer tags functionality.
Implement WAF rules to block XSS payloads targeting the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Test the Organizer tags field in Zenario Image library with XSS payloads like <script>alert('XSS')</script> and check if script executes.

Check Version:

Check Zenario admin panel or version file for exact version number.

Verify Fix Applied:

Retest with XSS payloads after applying fixes; scripts should not execute and input should be properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual POST/GET requests to image library endpoints with script tags or JavaScript code in parameters.
Multiple failed validation attempts on Organizer tags field.

Network Indicators:

HTTP requests containing <script>, javascript:, or other XSS patterns in URL parameters or form data.

SIEM Query:

source="web_logs" AND (uri_path="/image-library" OR uri_path="/organizer") AND (query="*<script>*" OR query="*javascript:*")

📊 Metadata

CVE ID: CVE-2024-45964

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: October 2, 2024

Last Updated: July 3, 2025

🔗 References

https://grimthereaperteam.medium.com/zenario-9-7-61188-reflect-xss-bee4ab9187e7 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-45964, you might also want to check these: