<script>alert('XSS')</script>
and hit Save.The vulnerability lays in the type_form.php file, see https://github.com/concrete5/concrete5/blob/develop/concrete/attributes/select/type_form.php#L40
The vuln can be pretty bad if the website has an Express Form with select attribute associated with it that βAllow users to add to this list.β. In that case, an (unauthenticated) user can submit a form that results to stored XSS.
{F653172}
Stored XSS on /index.php/dashboard/pages/attributes/edit/xxx page and when editing an Express Form block.