GHSA-w6j6-w6jx-vf2r

Source

https://github.com/advisories/GHSA-w6j6-w6jx-vf2r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/08/GHSA-w6j6-w6jx-vf2r/GHSA-w6j6-w6jx-vf2r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w6j6-w6jx-vf2r

Aliases

CVE-2024-7394

Published

2024-08-08T18:31:20Z

Modified

2025-01-21T18:23:10.949991Z

Severity

2.0 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Concrete CMS Stored XSS in getAttributeSetName

Details

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code.

Database specific

{
    "severity": "MODERATE",
    "nvd_published_at": "2024-08-08T17:15:20Z",
    "github_reviewed_at": "2024-08-08T20:40:12Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20",
        "CWE-79"
    ]
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.18

Affected versions

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6RC1

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

8.5.16

8.5.17

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.3.3

Affected versions

9.*

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2

9.1.3

9.2.0RC2

9.2.0

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

9.2.8

9.2.9

9.3.0

9.3.1

9.3.2