CVE-2022-30118
N/A
N/A
Summary
Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | https://github.com/concrete5/concrete5 | Remediated in Concrete CMS 8.5.8 and 9.1.0. Affected Versions are Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 | affected |
Weaknesses
- CWE-79: Cross-site Scripting (XSS) - Reflected (CWE-79)
ADP Enrichment
CVE Program Container
Additional References
- https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
- https://hackerone.com/reports/1370054
References
- https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
- https://hackerone.com/reports/1370054
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.