CVE-2024-3181
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field.
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
2Exploited in Wild
-Decision
Descriptions
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting
La versión 9 de Concrete CMS anterior a 9.2.8 y las versiones anteriores a 8.5.16 son vulnerables a XSS Almacenado en el campo de búsqueda. Antes de la solución, un administrador podía ejecutar el XSS almacenado cambiando un filtro al que un administrador deshonesto había agregado previamente código malicioso. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuación CVSS v3.1 de 3.1 con un vector de AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A: L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. Gracias Alexey Solovyev por informar
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-04-02 CVE Reserved
- 2024-04-03 CVE Published
- 2024-04-04 EPSS Updated
- 2024-04-11 First Exploit
- 2024-08-30 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-20: Improper Input Validation
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
- CAPEC-592: Stored XSS
References (4)
| URL | Date | SRC |
|---|---|---|
| https://github.com/Chocapikk/CVE-2024-31819 | 2024-04-11 | |
| https://github.com/Jhonsonwannaa/CVE-2024-31819 | 2024-06-21 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Concrete CMS Search vendor "Concrete CMS" | Concrete CMS Search vendor "Concrete CMS" for product "Concrete CMS" | >= 9.0.0 < 9.2.8 Search vendor "Concrete CMS" for product "Concrete CMS" and version " >= 9.0.0 < 9.2.8" | en |
Affected
| ||||||
| Concrete CMS Search vendor "Concrete CMS" | Concrete CMS Search vendor "Concrete CMS" for product "Concrete CMS" | >= 5.0.0 < 8.5.16 Search vendor "Concrete CMS" for product "Concrete CMS" and version " >= 5.0.0 < 8.5.16" | en |
Affected
| ||||||