Lucene search
PRIOn knowledge basePRION:CVE-2023-44760HistoryOct 23, 2023 - 10:15 p.m.
Cross site scripting
2023-10-2322:15:00
PRIOn knowledge base
www.prio-n.com
3
cross site scripting
header tracking codes
footer tracking codes
arbitrary code execution
security vulnerability
concrete cms
nvd
admin customization feature
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by “sromanhu” does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly.
| CPE | Name | Operator | Version |
|---|---|---|---|
| concrete_cms | eq | 9.2.1 |
Related
cvelist
cvelist
CVE-2023-44760
2023-10-23 00:00:00
nvd
nvd
CVE-2023-44760
2023-10-23 22:15:09
github
github
Concrete CMS Cross-site Scripting vulnerability
2023-10-24 00:31:07
veracode
veracode
Cross-site Scripting (XSS)
2023-10-25 09:11:26
cnvd
cnvd
PortlandLabs Concrete CMS Cross-Site Scripting Vulnerability
2023-10-26 00:00:00
cve
cve
CVE-2023-44760
2023-10-23 22:15:09
osv
osv
Concrete CMS Cross-site Scripting vulnerability
2023-10-24 00:31:07
ConcreteCMS Cross-site Scripting vulnerability
2023-10-06 15:30:20