Concrete CMS versions 9.0.0 through 9.3.3 are affected by a
stored XSS vulnerability in the "Top Navigator Bar" block.
Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6
with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This
does not affect versions below 9.0.0 since they do not have the Top
Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.
References
Link | Resource |
---|---|
https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes | Release Notes |
https://github.com/concretecms/concretecms/pull/12128 | Issue Tracking Patch |
Configurations
History
23 Sep 2024, 23:00
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.8 |
First Time |
Concretecms
Concretecms concrete Cms |
|
References | () https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes - Release Notes | |
References | () https://github.com/concretecms/concretecms/pull/12128 - Issue Tracking, Patch | |
CPE | cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:* |
20 Sep 2024, 12:30
Type | Values Removed | Values Added |
---|---|---|
Summary |
|
17 Sep 2024, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-09-17 19:15
Updated : 2024-09-23 23:00
NVD link : CVE-2024-8660
Mitre link : CVE-2024-8660
CVE.ORG link : CVE-2024-8660
JSON object : View
Products Affected
concretecms
- concrete_cms
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')