Lucene search

Ff5b8ace-8b95-4078-9743-eac1ca5451deNVD:CVE-2024-7512

HistoryAug 12, 2024 - 1:38 p.m.

CVE-2024-7512

2024-08-1213:38:43

CWE-20

CWE-79

ff5b8ace-8b95-4078-9743-eac1ca5451de

web.nvd.nist.gov

concrete cms

stored xss

board instances

cve-2024-7512

cvss 4.0

rogue administrator

security vulnerability

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

EPSS

Percentile

14.7%

JSON

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected. Thanks, m3dium for reporting.

Affected configurations

Nvd

Node

concretecmsconcrete_cmsRange9.0.0–9.3.3

VendorProductVersionCPE
concretecmsconcrete_cms*cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
concretecms	concrete_cms	*	cpe:2.3:a:concretecms:concrete_cms::::::::

References

documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041

hackerone.com/reports/2486344