CVE-2024-1245

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-1245

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1245.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-1245

Aliases

GHSA-mgp6-j658-vcw9

Published

2024-02-09T20:15:54.370Z

Modified

2026-01-09T19:12:55.526545Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.

References

Affected packages

Git / github.com/concretecms/concretecms

Affected ranges

Type: GIT
Repo: https://github.com/concretecms/concretecms
Events: Introduced

b3774abddd475b4ba98b637402506f7a5ebd90ea

Fixed

5ec5f0a692fee33859f7bde729afa9e68edfc15d

Affected versions

9.*

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2

9.1.3

9.2.0

9.2.0RC2

9.2.1

9.2.2

9.2.3

9.2.4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-1245.json"