Lucene search

GitHub Advisory DatabaseGHSA-C47W-9MCF-W972

HistoryAug 12, 2024 - 3:30 p.m.

Concrete CMS vulnerable to Stored Cross-site Scripting

2024-08-1215:30:52

CWE-79

GitHub Advisory Database

github.com

concrete cms

vulnerable

stored xss

board instances

rogue administrator

malicious code

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS4

1.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

5.7

Confidence

High

EPSS

Percentile

14.7%

JSON

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code.

Affected configurations

Vulners

Node

concrete5concrete5Range9.0.0RC1–9.3.3

VendorProductVersionCPE
concrete5concrete5*cpe:2.3:a:concrete5:concrete5:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
concrete5	concrete5	*	cpe:2.3:a:concrete5:concrete5::::::::

References

documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041

github.com/advisories/GHSA-c47w-9mcf-w972

hackerone.com/reports/2486344

nvd.nist.gov/vuln/detail/CVE-2024-7512

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS4

1.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

5.7

Confidence

High

EPSS

Percentile

14.7%

JSON

Related for GHSA-C47W-9MCF-W972