Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
References
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 07:27
Type | Values Removed | Values Added |
---|---|---|
References | () https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes - Release Notes, Vendor Advisory | |
References | () https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes - Release Notes, Vendor Advisory | |
References | () https://github.com/concretecms/concretecms/releases/8.5.10 - Release Notes, Vendor Advisory | |
References | () https://github.com/concretecms/concretecms/releases/9.1.3 - Release Notes, Vendor Advisory | |
References | () https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 - Vendor Advisory |
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-11-14 23:15
Updated : 2024-11-21 07:27
NVD link : CVE-2022-43695
Mitre link : CVE-2022-43695
CVE.ORG link : CVE-2022-43695
JSON object : View
Products Affected
concretecms
- concrete_cms
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')