Lucene search

GoogleOSV:GHSA-6XX7-R8X4-FPJP

HistoryOct 06, 2023 - 3:30 p.m.

ConcreteCMS Cross-site Scripting vulnerability

2023-10-0615:30:19

Google

osv.dev

cross site scripting

arbitrary code execution

plural handle

data objects

system & settings

concrete cms v.9.2.1

software

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

18.4%

JSON

A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.

CPENameOperatorVersion
concrete5/concrete5eq8.5.0
concrete5/concrete5eq8.5.6
concrete5/concrete5eq8.5.6RC1
concrete5/concrete5eq8.2.0RC2
concrete5/concrete5eq9.1.2
concrete5/concrete5eq8.2.1
concrete5/concrete5eq8.4.1
concrete5/concrete5eq8.5.13
concrete5/concrete5eq9.0.0RC1
concrete5/concrete5eq8.4.0RC3

Name	Operator	Version
concrete5/concrete5	eq	8.5.0
concrete5/concrete5	eq	8.5.6
concrete5/concrete5	eq	8.5.6RC1
concrete5/concrete5	eq	8.2.0RC2
concrete5/concrete5	eq	9.1.2
concrete5/concrete5	eq	8.2.1
concrete5/concrete5	eq	8.4.1
concrete5/concrete5	eq	8.5.13
concrete5/concrete5	eq	9.0.0RC1
concrete5/concrete5	eq	8.4.0RC3

Rows per page:

1-10 of 521

References

github.com/concretecms/concretecms

github.com/concretecms/concretecms/pull/11746

github.com/concretecms/concretecms/pull/11746/commits/0f0564232e0a49719d0bdff6223539b624f116ee

github.com/concretecms/concretecms/pull/11746/commits/92bcc208078571f4beda38cb0952f8e99887737a

github.com/sromanhu/ConcreteCMS-Stored-XSS---Associations

nvd.nist.gov/vuln/detail/CVE-2023-44765

www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release