ConcreteCMSVULNRICHMENT:CVE-2024-1246CVE-2024-1246 Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9.
CNA Affected
[
{
"repo": "https://github.com/concretecms/concretecms",
"vendor": "Concrete CMS ",
"product": "Concrete CMS ",
"versions": [
{
"status": "affected",
"version": "9.0.0",
"lessThan": "9.2.5",
"versionType": "patch"
}
],
"defaultStatus": "unaffected"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial