PT-2023-21747 · Unknown · Concrete Cms

Veshraj Ghimire

Publicado

2023-04-28

Atualizado

2023-12-06

CVE-2023-28477

CVSS v3.1

5.5

Média

Vetor

AC:L/AV:N/A:N/C:H/I:L/PR:H/S:U/UI:N

Name of the Vulnerable Software and Affected Versions Concrete CMS (previously concrete5) versions 8.5.12 and below Concrete CMS (previously concrete5) versions 9.0 through 9.1.3

Description The issue concerns stored XSS on API Integrations via the name parameter. This allows for potential exploitation through malicious input in the name parameter of API Integrations.

Recommendations For Concrete CMS (previously concrete5) versions 8.5.12 and below, update to version 9.2 or later to resolve the issue. For Concrete CMS (previously concrete5) versions 9.0 through 9.1.3, update to version 9.2 or later to resolve the issue. As a temporary workaround, consider restricting input for the name parameter in API Integrations to minimize the risk of exploitation.

Correção

XSS

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-79

Identificadores relacionados

CVE-2023-28477

GHSA-XFMJ-R86M-J2HR

Produtos afetados

Concrete Cms

PT-2023-21747 · Unknown · Concrete Cms

CVE-2023-28477

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11