GHSA-wrp2-6v6j-hfmg
Suggest an improvement- Source
- https://github.com/advisories/GHSA-wrp2-6v6j-hfmg
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-wrp2-6v6j-hfmg/GHSA-wrp2-6v6j-hfmg.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-wrp2-6v6j-hfmg
- Aliases
- Published
- 2023-10-10T12:32:12Z
- Modified
- 2024-02-16T08:07:15.248149Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- ConcreteCMS vulnerable to Stored Cross-site Scripting
- Details
-
Concrete CMS v9.2.1 is affected by Arbitrary File Upload vulnerability via the Thumbnail file upload, which allows Cross-Site Scripting (XSS).
- Database specific
{ "nvd_published_at": "2023-10-10T12:15:09Z", "cwe_ids": [ "CWE-434", "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-10-10T22:23:43Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-44763
- https://github.com/concretecms/concretecms
- https://github.com/sromanhu/ConcreteCMS-Arbitrary-file-upload-Thumbnail
- https://web.archive.org/web/20231026034159/https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/allowed-file-types
- https://www.concretecms.org/about/project-news/security/security-advisory-2023-10-25-concrete-cms-rejects-cve-2023-44763
Affected packages
Packagist / concrete5/concrete5
Package
- Name
- concrete5/concrete5
- Purl
- pkg:composer/concrete5/concrete5
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedLast affected9.2.1
Affected versions
8.*
8.0
8.0.1
8.0.2
8.0.3
8.1.0
8.2.0RC2
8.2.0
8.2.1
8.3.0
8.3.1
8.3.2
8.4.0RC3
8.4.0RC4
8.4.0
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.5.0RC1
8.5.0RC2
8.5.0
8.5.1
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6RC1
8.5.6
8.5.7
8.5.8
8.5.9
8.5.10
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.99
9.*
9.0.0RC1
9.0.0RC3
9.0.0RC4
9.0.0
9.0.1
9.0.2
9.1.0
9.1.1
9.1.2
9.1.3
9.2.0RC2
9.2.0
9.2.1