GHSA-36fr-3wg8-q5v8

Source

https://github.com/advisories/GHSA-36fr-3wg8-q5v8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-36fr-3wg8-q5v8/GHSA-36fr-3wg8-q5v8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-36fr-3wg8-q5v8

Aliases

CVE-2023-48649

Published

2023-11-17T06:31:21Z

Modified

2024-02-16T08:20:11.493026Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Concrete CMS Cross-site Scripting vulnerability

Details

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.

Database specific

{
    "github_reviewed_at": "2023-11-17T22:47:39Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2023-11-17T04:15:07Z",
    "severity": "LOW",
    "github_reviewed": true
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.13

Affected versions

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6RC1

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.2.2

Affected versions

9.*

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2

9.1.3

9.2.0RC2

9.2.0

9.2.1