Lucene search

Ff5b8ace-8b95-4078-9743-eac1ca5451deNVD:CVE-2024-1247

HistoryFeb 09, 2024 - 7:15 p.m.

CVE-2024-1247

2024-02-0919:15:24

CWE-20

CWE-79

ff5b8ace-8b95-4078-9743-eac1ca5451de

web.nvd.nist.gov

concrete cms

stored xss

version 9.2.5

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

Confidence

High

EPSS

Percentile

14.0%

JSON

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.

Affected configurations

Nvd

Node

concretecmsconcrete_cmsRange9.0.0–9.2.5

VendorProductVersionCPE
concretecmsconcrete_cms*cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
concretecms	concrete_cms	*	cpe:2.3:a:concretecms:concrete_cms::::::::

References

documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes

www.concretecms.org/about/project-news/security/2024-02-04-security-advisory