GitHub Advisory DatabaseGHSA-9V3W-CJ7M-QH5GConcrete CMS vulnerable to reflected XSS via the Image URL Import Feature
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
6.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.1%
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . This does not affect Concrete versions prior to version 9.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| concrete5/concrete5 | lt | 9.2.5 |
References
documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes
github.com/advisories/GHSA-9v3w-cj7m-qh5g
github.com/concretecms/concretecms/commit/59a07472ad6349a2c5fb455837a54ed1fe3f6953
nvd.nist.gov/vuln/detail/CVE-2024-1246
www.concretecms.org/about/project-news/security/2024-02-04-security-advisory
Related
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
6.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.1%