GitHub Advisory DatabaseGHSA-W6J6-W6JX-VF2RConcrete CMS Stored XSS in getAttributeSetName
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N
AI Score
Confidence
High
EPSS
Percentile
21.0%
Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code.
Affected configurations
References
documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041
documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041
github.com/advisories/GHSA-w6j6-w6jx-vf2r
github.com/concretecms/concretecms/commit/3a5974e94892c43388c3529e57a140bf2967c734
github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06
github.com/concretecms/concretecms/commit/e7e0eb95a0c4d0875c3712e33f495be76578cd5a
github.com/concretecms/concretecms/pull/12166
nvd.nist.gov/vuln/detail/CVE-2024-7394
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
ACTIVE
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N
AI Score
Confidence
High
EPSS
Percentile
21.0%