CVE-2024-7512

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected. Thanks, m3dium for reporting.
Configurations

Configuration 1 (hide)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

30 Aug 2024, 18:19

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.8
References () https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041 - () https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041 - Release Notes, Vendor Advisory
References () https://hackerone.com/reports/2486344 - () https://hackerone.com/reports/2486344 - Permissions Required
CWE CWE-79
CPE cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
First Time Concretecms concrete Cms
Concretecms

19 Aug 2024, 22:15

Type Values Removed Values Added
Summary
  • (es) Las versiones 9.0.0 a 9.3.2 de Concrete CMS se ven afectadas por una vulnerabilidad XSS almacenado en instancias de Board. Un administrador deshonesto podría inyectar código malicioso. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuación CVSS 4.0 de 1.8 con el vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA :N/SC:N/SI:N/SA: N. Las versiones inferiores a 9 no se ven afectadas. Gracias, m3dium por informar.
Summary (en) Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA: N. Versions below 9 are not affected.  Thanks, m3dium for reporting. (en) Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected. Thanks, m3dium for reporting.

12 Aug 2024, 13:41

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-12 13:38

Updated : 2024-08-30 18:19


NVD link : CVE-2024-7512

Mitre link : CVE-2024-7512

CVE.ORG link : CVE-2024-7512


JSON object : View

Products Affected

concretecms

  • concrete_cms
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-20

Improper Input Validation