CVE-2017-6905

Name of the Vulnerable Software and Affected Versions concrete5 versions prior to 5.6.3.4

Description The issue is caused by insufficient filtration of user-supplied data, specifically the disable choose parameter, passed to the "concrete5-legacy-master/web/concrete/tools/files/search dialog.php" URL. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Recommendations For concrete5 versions prior to 5.6.3.4, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "concrete5-legacy-master/web/concrete/tools/files/search dialog.php" URL to minimize the risk of exploitation. Avoid using the disable choose parameter in the affected URL until the issue is resolved.