Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.
References
Link | Resource |
---|---|
https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes | Release Notes Vendor Advisory |
https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes | Release Notes Vendor Advisory |
https://hackerone.com/reports/1370054 | Permissions Required Third Party Advisory |
https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes | Release Notes Vendor Advisory |
https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes | Release Notes Vendor Advisory |
https://hackerone.com/reports/1370054 | Permissions Required Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:02
Type | Values Removed | Values Added |
---|---|---|
References | () https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes - Release Notes, Vendor Advisory | |
References | () https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes - Release Notes, Vendor Advisory | |
References | () https://hackerone.com/reports/1370054 - Permissions Required, Third Party Advisory |
05 Jul 2022, 18:39
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.1 |
CWE | CWE-79 | |
References | (MISC) https://hackerone.com/reports/1370054 - Permissions Required, Third Party Advisory | |
References | (MISC) https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes - Release Notes, Vendor Advisory | |
References | (MISC) https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes - Release Notes, Vendor Advisory |
24 Jun 2022, 15:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-06-24 15:15
Updated : 2024-11-21 07:02
NVD link : CVE-2022-30118
Mitre link : CVE-2022-30118
CVE.ORG link : CVE-2022-30118
JSON object : View
Products Affected
concretecms
- concrete_cms
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')