CVE-2024-1247

Concrete CMS version 9 before 9.2.5 is vulnerable to  stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.
Configurations

Configuration 1 (hide)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:50

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.8
v2 : unknown
v3 : 2.0
References () https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes - Release Notes, Vendor Advisory () https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes - Release Notes, Vendor Advisory
References () https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory - Vendor Advisory () https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory - Vendor Advisory

15 Feb 2024, 04:44

Type Values Removed Values Added
References () https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes - () https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes - Release Notes, Vendor Advisory
References () https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory - () https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory - Vendor Advisory
CVSS v2 : unknown
v3 : 2.0
v2 : unknown
v3 : 4.8
Summary
  • (es) La versión 9 de Concrete CMS anterior a la 9.2.5 es vulnerable al XSS almacenado a través del campo Role Name, ya que no hay validación suficiente de los datos proporcionados por el administrador para ese campo. Un administrador deshonesto podría inyectar código malicioso en el campo Role Name que podría ejecutarse cuando los usuarios visitan la página afectada. El equipo de seguridad de Concrete CMS obtuvo este 2 con el vector CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. Las versiones concretas inferiores a 9 no incluyen tipos de grupos, por lo que no se ven afectados por esta vulnerabilidad.
CPE cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
CWE CWE-79
First Time Concretecms
Concretecms concrete Cms

09 Feb 2024, 20:15

Type Values Removed Values Added
Summary (en) Concrete CMS version 9 before 9.2.5 is vulnerable to  stored XSS via the “Role Name” field since there is insufficient validation of administrator provided data for that field. (en) Concrete CMS version 9 before 9.2.5 is vulnerable to  stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.

09 Feb 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-09 19:15

Updated : 2024-11-21 08:50


NVD link : CVE-2024-1247

Mitre link : CVE-2024-1247

CVE.ORG link : CVE-2024-1247


JSON object : View

Products Affected

concretecms

  • concrete_cms
CWE
CWE-20

Improper Input Validation

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')