Lucene search

GitHub Advisory DatabaseGHSA-6XX7-R8X4-FPJP

HistoryOct 06, 2023 - 3:30 p.m.

ConcreteCMS Cross-site Scripting vulnerability

2023-10-0615:30:19

CWE-79

GitHub Advisory Database

github.com

concretecms

xss

vulnerability

arbitrary code

plural handle

data objects

system & settings

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

18.4%

JSON

A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.

Affected configurations

Vulners

Node

concrete5concrete5Range≤9.2.1

CPENameOperatorVersion
concrete5/concrete5le9.2.1

CPE	Name	Operator	Version
	concrete5/concrete5	le	9.2.1

References

github.com/advisories/GHSA-6xx7-r8x4-fpjp

github.com/concretecms/concretecms/pull/11746

github.com/concretecms/concretecms/pull/11746/commits/0f0564232e0a49719d0bdff6223539b624f116ee

github.com/concretecms/concretecms/pull/11746/commits/92bcc208078571f4beda38cb0952f8e99887737a

github.com/sromanhu/ConcreteCMS-Stored-XSS---Associations

nvd.nist.gov/vuln/detail/CVE-2023-44765

www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release