CVE-2018-19146

Name of the Vulnerable Software and Affected Versions Concrete5 version 8.4.3

Description The issue allows for XSS attacks because the config/concrete.php file permits administrators to upload SVG files that may contain HTML data with a SCRIPT element.

Recommendations For Concrete5 version 8.4.3, consider restricting the upload of SVG files or ensure that all uploaded files are thoroughly validated to prevent the inclusion of malicious HTML data, such as SCRIPT elements, until a proper fix is available.