GHSA-45fj-fvmm-xcc5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-45fj-fvmm-xcc5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-45fj-fvmm-xcc5/GHSA-45fj-fvmm-xcc5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-45fj-fvmm-xcc5
- Aliases
- Published
- 2026-03-04T03:31:34Z
- Modified
- 2026-03-04T21:48:34.165334Z
- Severity
-
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
- Details
-
In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field.
The Concrete CMS security team thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.
- Database specific
{ "github_reviewed_at": "2026-03-04T21:36:26Z", "github_reviewed": true, "severity": "MODERATE", "nvd_published_at": "2026-03-04T03:16:04Z", "cwe_ids": [ "CWE-79" ] }- References
Affected packages
Packagist / concrete5/concrete5
Package
- Name
- concrete5/concrete5
- Purl
- pkg:composer/concrete5/concrete5
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed9.4.8
Affected versions
8.*
8.0
8.0.1
8.0.2
8.0.3
8.1.0
8.2.0RC2
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.4.0RC3
8.4.0RC4
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0RC1
8.5.0RC2
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6RC1
8.5.6
8.5.7
8.5.8
8.5.9
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.16
8.5.17
8.5.18
8.5.19
8.5.20
8.5.21
9.*
9.0.0RC1
9.0.0RC3
9.0.0RC4
9.0.0
9.0.1
9.0.2
9.1.0
9.1.1
9.1.2
9.1.3
9.2.0RC2
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4
9.2.5
9.2.6
9.2.7
9.2.8
9.2.9
9.3.0
9.3.1
9.3.2
9.3.3
9.3.4
9.3.5
9.3.6
9.3.7
9.3.8
9.3.9
9.4.0RC1
9.4.0RC2
9.4.0
9.4.1
9.4.2
9.4.3
9.4.4
9.4.5
9.4.6
9.4.7