CVE-2024-4350
Stored XSS in RSS Displayer
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, m3dium for reporting.
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, m3dium for reporting.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-04-30 CVE Reserved
- 2024-08-09 CVE Published
- 2024-08-19 CVE Updated
- 2024-08-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
- CAPEC-592: Stored XSS
References (4)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Concrete CMS Search vendor "Concrete CMS" | Concrete CMS Search vendor "Concrete CMS" for product "Concrete CMS" | >= 9.0.0 < 9.3.3 Search vendor "Concrete CMS" for product "Concrete CMS" and version " >= 9.0.0 < 9.3.3" | en |
Affected
| ||||||
Concrete CMS Search vendor "Concrete CMS" | Concrete CMS Search vendor "Concrete CMS" for product "Concrete CMS" | >= 5.0.0 < 8.5.18 Search vendor "Concrete CMS" for product "Concrete CMS" and version " >= 5.0.0 < 8.5.18" | en |
Affected
|