GHSA-mgp6-j658-vcw9

Source
https://github.com/advisories/GHSA-mgp6-j658-vcw9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-mgp6-j658-vcw9/GHSA-mgp6-j658-vcw9.json
Aliases
  • CVE-2024-1245
Published
2024-02-09T21:30:57Z
Modified
2024-02-16T08:08:02.439930Z
Details

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator .

References

Affected packages

Packagist / concrete5/concrete5

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0RC1
Fixed
9.2.5

Affected versions

9.*

9.0.0RC1
9.0.0RC3
9.0.0RC4
9.0.0
9.0.1
9.0.2
9.1.0
9.1.1
9.1.2
9.1.3
9.2.0RC2
9.2.0
9.2.1
9.2.2
9.2.3
9.2.4