CVE-2024-1245

LOW

Concrete CMS 9.0.0-9.2.4 - Stored Cross-Site Scripting in File Tags and Description Attributes

Title source: llm

Description

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.

References (2)

Core 2

Core References

Release Notes, Vendor Advisory

https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes

Vendor Advisory

https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory

Scores

CVSS v3 2.4

EPSS 0.0040

EPSS Percentile 31.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20 CWE-79

Status published

Products (2)

concrete5/concrete5 9.0.0RC1 - 9.2.5Packagist

concretecms/concrete_cms 9.0.0 - 9.2.5

Published Feb 09, 2024

Tracked Since Feb 18, 2026