GitHub Advisory DatabaseGHSA-MGP6-J658-VCW9Concrete CMS vulnerable to stored XSS in file tags and description attributes
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
6.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.0%
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator .
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| concrete5/concrete5 | lt | 9.2.5 |
References
documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes
github.com/advisories/GHSA-mgp6-j658-vcw9
github.com/concretecms/concretecms/commit/59a07472ad6349a2c5fb455837a54ed1fe3f6953
nvd.nist.gov/vuln/detail/CVE-2024-1245
www.concretecms.org/about/project-news/security/2024-02-04-security-advisory
Related
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
6.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.0%