CVE-2017-6908

Name of the Vulnerable Software and Affected Versions concrete5 versions prior to 5.6.3.4

Description The issue is caused by insufficient filtration of user-supplied data, specifically the fID variable, passed to the "concrete5-legacy-master/web/concrete/tools/files/selector data.php" URL. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Recommendations For versions prior to 5.6.3.4, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "concrete5-legacy-master/web/concrete/tools/files/selector data.php" URL to minimize the risk of exploitation. Avoid using the fID variable in the affected URL until the issue is resolved.