CVE-2024-7394

MEDIUM

Concrete CMS < 8.5.18 and 9.0.0-9.3.2 - Authenticated Stored Cross-Site Scripting in getAttributeSetName()

Title source: llm

Description

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, m3dium for reporting. (CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)

References (4)

Core 4

Core References

Release Notes, Vendor Advisory

https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041

Release Notes, Vendor Advisory

https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041

Patch

https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06

View Patch ZIP pw:eip

Issue Tracking, Patch

https://github.com/concretecms/concretecms/pull/12166

Scores

CVSS v3 4.8

EPSS 0.0041

EPSS Percentile 32.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

concrete5/concrete5 0 - 8.5.18Packagist

concretecms/concrete_cms < 8.5.18

Published Aug 08, 2024

Tracked Since Feb 18, 2026