Lucene search

[email protected]CVE-2023-44766

HistoryOct 06, 2023 - 1:15 p.m.

CVE-2023-44766

2023-10-0613:15:12

CWE-79

[email protected]

web.nvd.nist.gov

cve-2023-44766

cross site scripting

xss

concrete cms

security vulnerability

nvd

admin access

4.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

5 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

18.3%

JSON

A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature.

Affected configurations

NVD

Node

concretecmsconcrete_cmsMatch9.2.1

CPENameOperatorVersion
concretecms:concrete_cmsconcretecms concrete cmseq9.2.1

CPE	Name	Operator	Version
concretecms:concrete_cms	concretecms concrete cms	eq	9.2.1

References

github.com/sromanhu/ConcreteCMS-Stored-XSS---SEO

www.concretecms.org/about/project-news/security/security-advisory-2023-10-31-concrete-cms-rejects-cve-2023-44760-and-cve-2023-44766