GoogleOSV:GHSA-Q5WX-M95R-4CGCConcrete CMS Stored Cross-site Scripting vulnerability
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N
AI Score
Confidence
High
EPSS
Percentile
21.0%
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayerย when user input is stored and later embedded into responses. Aย rogue administrator could inject malicious code into fields due to insufficient input validation.
References
documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723060415d52041
documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041
github.com/concretecms/concretecms
github.com/concretecms/concretecms/commit/55e485e06b0b3342613a55af6a7c61d939d2ccb5
github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06
github.com/concretecms/concretecms/pull/12166
nvd.nist.gov/vuln/detail/CVE-2024-4350
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CVSS4
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N
AI Score
Confidence
High
EPSS
Percentile
21.0%