CVE-2024-2179

Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.2 with a vector of AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting.

CVSS v3 2.2 LOW

2.2^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.7 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://documentation.concretecms.org/9-x/developers/introduction/version-history/927-release-notes

Configurations

No configuration.

History

30 Aug 2024, 22:15

Type	Values Removed	Values Added
Summary	(en) Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.2 with a vector of AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting.	(en) Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.2 with a vector of AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting.
CWE	~~CWE-20~~	CWE-79

06 Mar 2024, 15:18

Type	Values Removed	Values Added
Summary		(es) La versión 9 de Concrete CMS anterior a la 9.2.7 es vulnerable a XSS almacenado a través del campo Nombre de un tipo de grupo, ya que no hay validación suficiente de los datos proporcionados por el administrador para ese campo. Un administrador deshonesto podría inyectar código malicioso en el campo Nombre que podría ejecutarse cuando los usuarios visitan la página afectada. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuación CVSS v3.1 de 2.2 con un vector de AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A: N Las versiones concretas inferiores a 9 no incluyen tipos de grupos, por lo que no se ven afectados por esta vulnerabilidad. Gracias a Luca Fuda por informar.

05 Mar 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-05 21:15

Updated : 2024-08-30 22:15

NVD link : CVE-2024-2179

Mitre link : CVE-2024-2179

CVE.ORG link : CVE-2024-2179

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

2.2 /10