Lucene search

GoogleOSV:GHSA-C47W-9MCF-W972

HistoryAug 12, 2024 - 3:30 p.m.

Concrete CMS vulnerable to Stored Cross-site Scripting

2024-08-1215:30:52

Google

osv.dev

concrete cms

version 9.0-9.3.2

stored xss

board instances

rogue administrator

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS4

1.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

5.6

Confidence

High

EPSS

Percentile

14.7%

JSON

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041

github.com/concretecms/concretecms

hackerone.com/reports/2486344

nvd.nist.gov/vuln/detail/CVE-2024-7512

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS4

1.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N

AI Score

5.6

Confidence

High

EPSS

Percentile

14.7%

JSON

Related for OSV:GHSA-C47W-9MCF-W972