CVE-2024-8660

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.
Configurations

Configuration 1 (hide)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

23 Sep 2024, 23:00

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.8
First Time Concretecms
Concretecms concrete Cms
References () https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes - () https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes - Release Notes
References () https://github.com/concretecms/concretecms/pull/12128 - () https://github.com/concretecms/concretecms/pull/12128 - Issue Tracking, Patch
CPE cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

20 Sep 2024, 12:30

Type Values Removed Values Added
Summary
  • (es) Las versiones 9.0.0 a 9.3.3 de Concrete CMS se ven afectadas por una vulnerabilidad XSS almacenado en el bloque "Barra de navegación superior". Dado que la salida de la "Barra de navegación superior" no se desinfectó lo suficiente, un administrador malintencionado podría agregar una carga maliciosa que podría ejecutarse cuando los usuarios objetivo visitaran la página de inicio. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuación CVSS v4 de 4,6 con el vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . Esto no afecta a las versiones anteriores a la 9.0.0, ya que no tienen el bloque de la barra de navegación superior. Gracias, Chu Quoc Khanh, por informarnos.

17 Sep 2024, 19:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-17 19:15

Updated : 2024-09-23 23:00


NVD link : CVE-2024-8660

Mitre link : CVE-2024-8660

CVE.ORG link : CVE-2024-8660


JSON object : View

Products Affected

concretecms

  • concrete_cms
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')