CVE-2025-2967
ConcreteCMS HTML Block save HTML injection
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A vulnerability was found in ConcreteCMS up to 9.3.9. It has been classified as problematic. This affects the function Save of the component HTML Block Handler. The manipulation of the argument content leads to HTML injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Es wurde eine Schwachstelle in ConcreteCMS bis 9.3.9 ausgemacht. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion Save der Komponente HTML Block Handler. Durch die Manipulation des Arguments content mit unbekannten Daten kann eine HTML injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2025-03-30 CVE Reserved
- 2025-03-31 CVE Published
- 2025-03-31 CVE Updated
- 2025-03-31 EPSS Updated
- 2025-03-31 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://vuldb.com/?id.302019 | Technical Description | |
| https://vuldb.com/?submit.522417 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc5.md | 2025-03-31 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| - | - | - | - | - | ||||||