CVE-2023-44763

MEDIUM

Concrete CMS 9.2.1 - Arbitrary File Upload and Cross-Site Scripting via Thumbnail File Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-44763. PoCs published by sromanhu.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-44763, an arbitrary file upload vulnerability in ConcreteCMS v9.2.1 leading to stored XSS. It includes payload examples (PDF/SVG/HTML) and step-by-step exploitation via the 'Thumbnail' upload feature.

Description

Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.

Exploits (1)

nomisec WRITEUP
by sromanhu · poc
https://github.com/sromanhu/CVE-2023-44763_ConcreteCMS-Arbitrary-file-upload-Thumbnail

This repository provides a detailed technical analysis of CVE-2023-44763, an arbitrary file upload vulnerability in ConcreteCMS v9.2.1 leading to stored XSS. It includes payload examples (PDF/SVG/HTML) and step-by-step exploitation via the 'Thumbnail' upload feature.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: ConcreteCMS v9.2.1
Auth required
Prerequisites: Authenticated access to ConcreteCMS dashboard · Access to 'Settings - Tags - Thumbnail' upload feature
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.4
EPSS 0.0027
EPSS Percentile 50.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-434
Status published
Products (2)
concrete5/concrete5 0Packagist
concretecms/concrete_cms 9.2.1
Published Oct 10, 2023
Tracked Since Feb 18, 2026