CVE-2024-4353

MEDIUM

Concrete CMS 9.0.0-9.3.2 - Stored Cross-Site Scripting in Dashboard Board Name Input

Title source: llm

Description

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 4.6 with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Concrete versions below 9 are not affected by this vulnerability.Thanks fhAnso for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC).

References (2)

Core 2

Core References

Release Notes

https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes

Patch

https://github.com/concretecms/concretecms/pull/12151

Scores

CVSS v3 4.8

EPSS 0.0029

EPSS Percentile 20.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20 CWE-79

Status published

Products (2)

concrete5/concrete5 9.0.0Packagist

concretecms/concrete_cms 9.0.0 - 9.3.3

Published Aug 01, 2024

Tracked Since Feb 18, 2026