CVE-2024-3179
Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page
Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting.
Reserved 2024-04-02 | Published 2024-04-03 | Updated 2024-08-30 | Assigner ConcreteCMSCWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Alexey Solovyev
documentation.concretecms.org/...y4xLjE3MTIxNjY3MDcuMC4wLjA.
documentation.concretecms.org/...y4xLjE3MTIxNjY2ODEuMC4wLjA.
Support options
