Lucene search

[email protected]CVE-2023-44765

HistoryOct 06, 2023 - 1:15 p.m.

CVE-2023-44765

2023-10-0613:15:12

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-44765

cross site scripting

xss

concrete cms

data objects

system & settings

code execution

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.

Affected configurations

NVD

Node

concretecmsconcrete_cmsMatch9.2.1

CPENameOperatorVersion
concretecms:concrete_cmsconcretecms concrete cmseq9.2.1

CPE	Name	Operator	Version
concretecms:concrete_cms	concretecms concrete cms	eq	9.2.1

References

github.com/sromanhu/ConcreteCMS-Stored-XSS---Associations

www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release