Cross site scripting

2022-11-1423:15:00

PRIOn knowledge base

www.prio-n.com

cross site scripting

concrete cms

stored xss

security vulnerability

entity association

remediation

nvd

0.001 Low

EPSS

Percentile

50.7%

JSON

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

CPENameOperatorVersion
concrete_cmslt8.5.10
concrete_cmsge9.0.0
concrete_cmsle9.1.2

Name	Operator	Version
concrete_cms	lt	8.5.10
concrete_cms	ge	9.0.0
concrete_cms	le	9.1.2

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

0.001 Low

EPSS

Percentile

50.7%

JSON

Related for PRION:CVE-2022-43695