CVE-2024-4353

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Concrete versions below 9 are not affected by this vulnerability. Thanks fhAnso for reporting.

CVSS

No CVSS.

References

Link	Resource
https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes
https://github.com/concretecms/concretecms/pull/12151

Configurations

No configuration.

History

07 Aug 2024, 19:15

Type	Values Removed	Values Added
Summary	(en) Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.	(en) Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Concrete versions below 9 are not affected by this vulnerability. Thanks fhAnso for reporting.
References		() https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes -

02 Aug 2024, 12:59

Type	Values Removed	Values Added
Summary		(es) Las versiones 9.0.0 a 9.3.2 de Concrete CMS se ven afectadas por una vulnerabilidad de XSS almacenado en la funcionalidad de generación de instancia del tablero. El campo de entrada Name no verifica la entrada lo suficiente, lo que permite que un administrador deshonesto tenga la capacidad de inyectar código JavaScript malicioso. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuación CVSS v3.1 de 3.1 con un vector de AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A: N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator y una puntuación CVSS v4 de 1,8 con un vector de CVSS:4.0/AV:N/AC:H/AT:N/PR:H /UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Gracias fhAnso por informar.

01 Aug 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-01 19:15

Updated : 2024-08-07 19:15

NVD link : CVE-2024-4353

Mitre link : CVE-2024-4353

CVE.ORG link : CVE-2024-4353

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

JSON object

Attach tags to CVE-2024-4353

Attach tags to `CVE-2024-4353`