CVE-2024-4350

Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, m3dium for reporting.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

30 Aug 2024, 18:18

Type Values Removed Values Added
References () https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723060415d52041 - () https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723060415d52041 - Release Notes, Vendor Advisory
References () https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041 - () https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041 - Release Notes, Vendor Advisory
References () https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06 - () https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06 - Patch
References () https://github.com/concretecms/concretecms/pull/12166 - () https://github.com/concretecms/concretecms/pull/12166 - Patch
First Time Concretecms concrete Cms
Concretecms
CWE CWE-79
CPE cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.8

19 Aug 2024, 21:15

Type Values Removed Values Added
Summary
  • (es) Las versiones de Concrete CMS 9.0.0 a 9.3.2 y anteriores a 8.5.18 son vulnerables a XSS Almacenado en RSS Displayer cuando la entrada del usuario se almacena y luego se integra en las respuestas. Un administrador deshonesto podría inyectar código malicioso en los campos debido a una validación de entrada insuficiente. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuación CVSS v3.1 de 3.0 con un vector de AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A: N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator y una puntuación CVSS v4 de 2,1 con el vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI :N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/ AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Gracias, m3dium por informar.
Summary (en) Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator  and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N  Thanks, m3dium for reporting. (en) Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, m3dium for reporting.

12 Aug 2024, 13:41

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-12 13:38

Updated : 2024-08-30 18:18


NVD link : CVE-2024-4350

Mitre link : CVE-2024-4350

CVE.ORG link : CVE-2024-4350


JSON object : View

Products Affected

concretecms

  • concrete_cms
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-20

Improper Input Validation