Home

Description

Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.

PUBLISHED Reserved 2025-08-04 | Published 2025-08-05 | Updated 2025-08-06 | Assigner ConcreteCMS




MEDIUM: 4.8CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-20 Improper Input Validation

Product status

Default status
unaffected

9.0.0 (patch) before 9.4.3
affected

5.6 (patch) before 8.5.21
affected

Credits

Fortbridge finder

References

documentation.concretecms.org/...-history/8521-release-notes

documentation.concretecms.org/...n-history/943-release-notes

www.concretecms.org/download

cve.org (CVE-2025-8571)

nvd.nist.gov (CVE-2025-8571)

Download JSON