CVE-2024-1247
Concrete CMS version 9 before 9.2.5 vulnerable to stored XSS via the Role Name field
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.
La versión 9 de Concrete CMS anterior a la 9.2.5 es vulnerable al XSS almacenado a través del campo Role Name, ya que no hay validación suficiente de los datos proporcionados por el administrador para ese campo. Un administrador deshonesto podría inyectar código malicioso en el campo Role Name que podría ejecutarse cuando los usuarios visitan la página afectada. El equipo de seguridad de Concrete CMS obtuvo este 2 con el vector CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. Las versiones concretas inferiores a 9 no incluyen tipos de grupos, por lo que no se ven afectados por esta vulnerabilidad.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-06 CVE Reserved
- 2024-02-09 CVE Published
- 2024-02-15 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
- CAPEC-63: Cross-Site Scripting (XSS)
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Concretecms Search vendor "Concretecms" | Concrete Cms Search vendor "Concretecms" for product "Concrete Cms" | >= 9.0.0 < 9.2.5 Search vendor "Concretecms" for product "Concrete Cms" and version " >= 9.0.0 < 9.2.5" | - |
Affected
|