Lucene search

Veracode Vulnerability DatabaseVERACODE:45444

HistoryFeb 12, 2024 - 10:57 a.m.

Cross Site Scripting (XSS)

2024-02-1210:57:37

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

cross site scripting

concrete5

image url import

admin

attacker

malicious code

vulnerability

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

6.5

Confidence

High

EPSS

Percentile

14.0%

JSON

concrete5/concrete5 is vulnerable to Cross Site Scripting (XSS). The vulnerability is due to the Image URL Import Feature. The vulnerability allows an admin authicated attacker to inject malicious code when importing images, resulting in XSS.

References

documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes

github.com/advisories/GHSA-9v3w-cj7m-qh5g

github.com/concretecms/concretecms/commit/59a07472ad6349a2c5fb455837a54ed1fe3f6953

www.concretecms.org/about/project-news/security/2024-02-04-security-advisory