Lucene search

Veracode Vulnerability DatabaseVERACODE:43725

HistoryOct 10, 2023 - 3:42 p.m.

Cross Site Scripting

2023-10-1015:42:24

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross site scripting

arbitrary code execution

plural handle

data objects

system & settings

concrete5

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.0005 Low

EPSS

Percentile

18.4%

JSON

concrete5 is vulnerable to Cross Site Scripting (XSS). The attacker is able to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.

CPENameOperatorVersion
concrete5/concrete5le9.2.1
concrete5/concrete5le9.2.1

CPE	Name	Operator	Version
	concrete5/concrete5	le	9.2.1
	concrete5/concrete5	le	9.2.1

References

github.com/advisories/GHSA-6xx7-r8x4-fpjp

github.com/sromanhu/ConcreteCMS-Stored-XSS---Associations

github.com/sromanhu/CVE-2023-44765_ConcreteCMS-Stored-XSS---Associations

www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release