CVE-2024-3180

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-3180

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3180.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-3180

Aliases

GHSA-9qhc-pg6j-wf23

Published

2024-04-03T19:15:44.560Z

Modified

2026-02-05T12:39:09.700742Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting.

References

Affected packages

Git / github.com/concretecms/concretecms

Affected ranges

Type: GIT
Repo: https://github.com/concretecms/concretecms
Events: Fixed

17020e35940cdec1493c63065af6a2245e00d402

Introduced

b3774abddd475b4ba98b637402506f7a5ebd90ea

Fixed

54cb334ddefcc6d516fc59d5e21404497da27a6d

Affected versions

9.*

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2

9.1.3

9.2.0

9.2.0RC2

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-3180.json"