Concrete CMS vulnerable to Stored Cross-site Scripting
Low severity
GitHub Reviewed
Published
Aug 1, 2024
to the GitHub Advisory Database
•
Updated Dec 16, 2024
Description
Published by the National Vulnerability Database
Aug 1, 2024
Published to the GitHub Advisory Database
Aug 1, 2024
Reviewed
Aug 2, 2024
Last updated
Dec 16, 2024
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code.
The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.
References