4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
7.1 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.1%
Concrete5/concrete5 is vulnerable to Cross-site Scripting. This vulnerability exists due to the lack of user input sanitization, which allows an attacker to inject and execute malicious JavaScript in the browser through the e Header and Footer Tracking Codes of the SEO & Statistic.
CPE | Name | Operator | Version |
---|---|---|---|
concrete5/concrete5 | le | 9.2.1 | |
concrete5/concrete5 | le | 9.2.1 |
github.com/advisories/GHSA-4qv6-37xq-mgq2
github.com/sromanhu/ConcreteCMS-Stored-XSS---TrackingCodes
github.com/sromanhu/CVE-2023-44760_ConcreteCMS-Stored-XSS---TrackingCodes/commit/ba627d3ea3d433429dd55c65f280dd8c3febf047
github.com/sromanhu/CVE-2023-44760_ConcreteCMS-Stored-XSS---TrackingCodes/issues/1
www.concretecms.org/about/project-news/security/security-advisory-2023-10-31-concrete-cms-rejects-cve-2023-44760-and-cve-2023-44766
4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
7.1 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
22.1%