CVE-2022-30118

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.

Título del CVE: Una vulnerabilidad de tipo XSS en /dashboard/system/express/entities/forms/save_control/[GUID]: sólo para navegadores antiguos. Descripción: Cuando es usado Internet Explorer con la protección de tipo XSS deshabilitada, la edición de un control de formulario en un formulario de entidades expresas para Concrete versiones 8.5.7 y anteriores, así como para Concrete versiones 9.0 hasta 9.0.2, puede permitir un ataque de tipo XSS. Esto no puede ser explotado en los navegadores web actuales debido a un mecanismo de escape de entrada automático. El equipo de seguridad de Concrete CMS clasificó esta vulnerabilidad 2 con el vector CVSS v3.1 AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Gracias a zeroinside por reportar

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-02 CVE Reserved
2022-06-24 CVE Published
2024-01-15 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes	2022-07-05
https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes	2022-07-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Concretecms Search vendor "Concretecms"		Concrete Cms Search vendor "Concretecms" for product "Concrete Cms"				< 8.5.8 Search vendor "Concretecms" for product "Concrete Cms" and version " < 8.5.8"		-		Affected
Concretecms Search vendor "Concretecms"		Concrete Cms Search vendor "Concretecms" for product "Concrete Cms"				>= 9.0.0 < 9.1.0 Search vendor "Concretecms" for product "Concrete Cms" and version " >= 9.0.0 < 9.1.0"		-		Affected