GHSA-c5xf-rmv4-j85h

Source

https://github.com/advisories/GHSA-c5xf-rmv4-j85h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-c5xf-rmv4-j85h/GHSA-c5xf-rmv4-j85h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c5xf-rmv4-j85h

Aliases

CVE-2025-8573

Published

2025-08-06T00:30:25Z

Modified

2025-08-06T17:42:17.790881Z

Severity

2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page

Details

Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login.

Database specific

{
    "cwe_ids": [
        "CWE-20",
        "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-06T17:35:50Z",
    "nvd_published_at": "2025-08-05T23:15:39Z",
    "severity": "LOW"
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0RC1

Fixed

9.4.3

Affected versions

9.*

9.0.0RC1

9.0.0RC3

9.0.0RC4

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2

9.1.3

9.2.0RC2

9.2.0

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

9.2.8

9.2.9

9.3.0

9.3.1

9.3.2

9.3.3

9.3.4

9.3.5

9.3.6

9.3.7

9.3.8

9.3.9

9.4.0RC1

9.4.0RC2

9.4.0

9.4.1

9.4.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-c5xf-rmv4-j85h/GHSA-c5xf-rmv4-j85h.json"