CVE-2024-7398

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N . Thank you, Yusuke Uchida for reporting.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

30 Sep 2024, 16:12

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.4
CPE cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
First Time Concretecms concrete Cms
Concretecms
References () https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes - () https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes - Release Notes
References () https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes - () https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes - Release Notes
References () https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 - () https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 - Patch
References () https://github.com/concretecms/concretecms/pull/12183 - () https://github.com/concretecms/concretecms/pull/12183 - Patch
References () https://github.com/concretecms/concretecms/pull/12184 - () https://github.com/concretecms/concretecms/pull/12184 - Patch

26 Sep 2024, 13:32

Type Values Removed Values Added
Summary
  • (es) Las versiones 9 a 9.3.3 de Concrete CMS y las versiones anteriores a 8.5.19 son vulnerables a XSS almacenado en la función de adición de eventos del calendario porque el nombre del evento del calendario no se saneó en la salida. Los usuarios o grupos con permiso para crear calendarios de eventos pueden incrustar scripts, y los usuarios o grupos con permiso para modificar calendarios de eventos pueden ejecutar scripts. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuación CVSS v4 de 1.8 con el vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N. Gracias, Yusuke Uchida, por informar.

25 Sep 2024, 01:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-25 01:15

Updated : 2024-09-30 16:12


NVD link : CVE-2024-7398

Mitre link : CVE-2024-7398

CVE.ORG link : CVE-2024-7398


JSON object : View

Products Affected

concretecms

  • concrete_cms
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')