CVE-2024-7394

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-7394

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7394.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-7394

Aliases

GHSA-w6j6-w6jx-vf2r

Published

2024-08-08T17:15:20Z

Modified

2024-10-08T04:25:40.264387Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N . Thanks, m3dium for reporting.

References

Affected packages

Git / github.com/concretecms/concretecms

Affected ranges

Type: GIT
Repo: https://github.com/concretecms/concretecms
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

c08d9671cec4e7afdabb547339c4bc0bed8eab06

Affected versions

5.*

5.7.0

5.7.0.1

5.7.0.3

5.7.0.4

5.7.1

5.7.2

5.7.2.1

5.7.3

5.7.3.1

5.7.4

5.7.4.1

5.7.4.2

5.7.5

5.7.5.1

5.7.5.10

5.7.5.11

5.7.5.12

5.7.5.2

5.7.5.3

5.7.5.4

5.7.5.5

5.7.5.6

5.7.5.7

5.7.5.8

5.7.5.9

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0

8.2.0RC2

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0

8.4.0RC3

8.4.0RC4

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0

8.5.0RC1

8.5.0RC2

8.5.1

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

8.5.17

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6

8.5.6RC1

8.5.7

8.5.8

8.5.9