Lucene search

GitHub Advisory DatabaseGHSA-8699-H45G-7HM8

HistoryJul 06, 2023 - 7:24 p.m.

Concrete CMS Cross-site Scripting vulnerability

2023-07-0619:24:04

CWE-77

CWE-79

GitHub Advisory Database

github.com

concrete cms

cross-site scripting

xss

dashboard

update

security

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

50.6%

JSON

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Affected configurations

Vulners

Node

concrete5concrete5Range9.0.0–9.1.3

concrete5concrete5Range<8.5.10

VendorProductVersionCPE
concrete5concrete5*cpe:2.3:a:concrete5:concrete5:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
concrete5	concrete5	*	cpe:2.3:a:concrete5:concrete5::::::::

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/advisories/GHSA-8699-h45g-7hm8

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

nvd.nist.gov/vuln/detail/CVE-2022-43695

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31