Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N . Thank you, Yusuke Uchida for reporting.
References
Configurations
Configuration 1 (hide)
|
History
30 Sep 2024, 16:12
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
CPE | cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:* | |
First Time |
Concretecms concrete Cms
Concretecms |
|
References | () https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes - Release Notes | |
References | () https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes - Release Notes | |
References | () https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 - Patch | |
References | () https://github.com/concretecms/concretecms/pull/12183 - Patch | |
References | () https://github.com/concretecms/concretecms/pull/12184 - Patch |
26 Sep 2024, 13:32
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
25 Sep 2024, 01:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-25 01:15
Updated : 2024-09-30 16:12
NVD link : CVE-2024-7398
Mitre link : CVE-2024-7398
CVE.ORG link : CVE-2024-7398
JSON object : View
Products Affected
concretecms
- concrete_cms
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')