CVE-2022-43695

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:27

Type Values Removed Values Added
References () https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes - Release Notes, Vendor Advisory () https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes - Release Notes, Vendor Advisory
References () https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes - Release Notes, Vendor Advisory () https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes - Release Notes, Vendor Advisory
References () https://github.com/concretecms/concretecms/releases/8.5.10 - Release Notes, Vendor Advisory () https://github.com/concretecms/concretecms/releases/8.5.10 - Release Notes, Vendor Advisory
References () https://github.com/concretecms/concretecms/releases/9.1.3 - Release Notes, Vendor Advisory () https://github.com/concretecms/concretecms/releases/9.1.3 - Release Notes, Vendor Advisory
References () https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 - Vendor Advisory () https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 - Vendor Advisory

08 Aug 2023, 14:22

Type Values Removed Values Added
New CVE

Information

Published : 2022-11-14 23:15

Updated : 2024-11-21 07:27


NVD link : CVE-2022-43695

Mitre link : CVE-2022-43695

CVE.ORG link : CVE-2022-43695


JSON object : View

Products Affected

concretecms

  • concrete_cms
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')