PT-2023-21745 · Unknown · Concrete Cms

Bogdan Tiron

Publicado

2023-04-28

Atualizado

2023-12-06

CVE-2023-28475

CVSS v3.1

6.1

Média

Vetor

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Concrete CMS (previously concrete5) versions 8.5.12 and below Concrete CMS (previously concrete5) versions 9.0 through 9.1.3

Description The issue is related to Reflected XSS on the Reply form because the msgID was not sanitized. This allows for potential exploitation.

Recommendations For versions 8.5.12 and below, update to version 9.2 or later. For versions 9.0 through 9.1.3, update to version 9.2 or later. As a temporary workaround, consider restricting access to the Reply form until a patch is available. Avoid using the msgID parameter in the affected Reply form endpoint until the issue is resolved.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2023-28475

GHSA-VCPR-HM2M-GJJJ

Produtos afetados

Concrete Cms

PT-2023-21745 · Unknown · Concrete Cms

CVE-2023-28475

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 9