CVE-2024-3181
3.1
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
Summary
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Concrete CMS | Concrete CMS | 9.0.0 < 9.2.8 | affected |
| Concrete CMS | Concrete CMS | 5.0.0 < 8.5.16 | affected |
Weaknesses
- CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=11oa3zn1_gaMTc1NDc0Njk2Mi4xNzA2ODI4MDU1_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.
- https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=11bcxp5s_gaMTc1NDc0Njk2Mi4xNzA2ODI4MDU1_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.
References
- https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=11oa3zn1_gaMTc1NDc0Njk2Mi4xNzA2ODI4MDU1_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.
- https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=11bcxp5s_gaMTc1NDc0Njk2Mi4xNzA2ODI4MDU1_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.