Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.
References
Link | Resource |
---|---|
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes | Release Notes Vendor Advisory |
https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory | Vendor Advisory |
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes | Release Notes Vendor Advisory |
https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory | Vendor Advisory |
Configurations
History
21 Nov 2024, 08:50
Type | Values Removed | Values Added |
---|---|---|
References | () https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes - Release Notes, Vendor Advisory | |
References | () https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory - Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 2.4 |
15 Feb 2024, 04:44
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
First Time |
Concretecms
Concretecms concrete Cms |
|
References | () https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes - Release Notes, Vendor Advisory | |
References | () https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory - Vendor Advisory | |
CWE | CWE-79 | |
Summary |
|
09 Feb 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
Summary | (en) Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N. |
09 Feb 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-02-09 20:15
Updated : 2024-11-21 08:50
NVD link : CVE-2024-1245
Mitre link : CVE-2024-1245
CVE.ORG link : CVE-2024-1245
JSON object : View
Products Affected
concretecms
- concrete_cms