CVE-2024-7300: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability has been identified in Bolt CMS version 3.7.1, specifically affecting the Showcase Creation Handler component in the file /bolt/editcontent/showcases. The vulnerability was discovered and disclosed on July 31, 2024. This security issue affects the title/textarea argument manipulation and can be exploited remotely. It's important to note that this vulnerability only impacts products that are no longer supported by the maintainer, as confirmed by the vendor who acknowledged that the affected release tree is end-of-life (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Additionally, it received a CVSS v4.0 score of 5.3 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

When exploited, this cross-site scripting vulnerability allows attackers to inject malicious scripts into the showcase creation functionality. The exploit can be used to facilitate drive-by downloads of malicious files without user consent when accessing the affected page (VulDB Submit).

Since this vulnerability affects an end-of-life version of Bolt CMS 3.7.1, and the vendor has confirmed that the affected release tree is no longer supported, users are strongly advised to upgrade to a supported version of the software (NVD).