CVE-2024-58344: Carbon Forum 5.9.0 Persistent XSS via Forum Name Field
Carbon Forum 5.9.0 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious JavaScript code through the Forum Name field in dashboard settings. Attackers with admin privileges can store JavaScript payloads in the Forum Name field that execute in the browsers of all users visiting the forum, enabling session hijacking and data theft.
Security readout for executives and security teams
Plain-English summary
Carbon Forum 5.9.0 lets an authenticated administrator store JavaScript in the Forum Name setting. That script can run for users who visit the forum, creating risk of account misuse or data exposure. The issue is important where admin accounts are shared, weakly protected, or could be compromised.
Executive priority
Prioritize remediation for internet-facing Carbon Forum sites or environments with weak administrator controls. The issue is not listed as KEV and requires admin-level access, but stored XSS can affect many visitors once planted.
Technical view
The vulnerability is persistent cross-site scripting in Carbon Forum 5.9.0 dashboard settings, mapped to CWE-79. The supplied CVSS 3.1 score is 6.4, with network attack vector, low complexity, low privileges required, changed scope, and low confidentiality and integrity impact.
Likely exposure
Exposure appears limited to Carbon Forum 5.9.0 deployments. Practical risk depends on whether an attacker already has administrator privileges or can obtain them. Public-facing forums increase blast radius because stored script content may execute for multiple visitors.
Exploitation context
The source bundle includes an ExploitDB reference, so public exploit information exists. CISA KEV status is false in the bundle, and no cited source states active in-the-wild exploitation. Treat exploitation evidence as public proof-of-concept availability, not confirmed active abuse.
Researcher notes
Evidence identifies Carbon Forum 5.9.0 and the Forum Name field. The bundle does not provide an official patch version, commit fix, or vendor mitigation. Avoid broad version assumptions beyond 5.9.0 unless confirmed by vendor or code review.
Mitigation direction
Inventory Carbon Forum deployments and confirm whether version 5.9.0 is present.
Check the vendor project and advisory sources for fixed release or official guidance.
Restrict dashboard administrator access to trusted, MFA-protected accounts.
Review and remove suspicious script-like content from the Forum Name setting.
Monitor forum sessions and administrator activity for abnormal behavior.
Validation and detection
Verify application version against Carbon Forum 5.9.0 exposure.
Inspect dashboard settings for unsafe Forum Name content.
Review admin account history for unexpected settings changes.
Confirm browser output encodes the Forum Name rather than executing it.
Track advisory sources for patch or mitigation updates.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-79: User-session and phishing behavior lookup
Client-side and session-facing weaknesses should be reviewed alongside initial-access and user-execution behaviors. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-79 · source CWE mapping
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.