M3Dium

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.4.8 **Description** A stored cross-site scripting (XSS) issue exists in the "Legacy Form" block. An authenticated user with appropriate permissions can inject a JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The affected block allows for the injection of persistent JavaScript code. **Recommendations** Update Concrete CMS to version 9.4.8 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.4.8 **Description** A malicious administrator can inject stored cross-site scripting (XSS) through the Switch Language block. This allows an attacker to execute scripts in the context of another user's browser. **Recommendations** Update to version 9.4.8 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.3.2 Concrete CMS versions below 8.5.18 **Description** The issue concerns Stored XSS in the RSS Displayer of Concrete CMS, where user input is stored and later embedded into responses. This occurs due to insufficient input validation, allowing a rogue administrator to inject malicious code into fields. **Recommendations** For Concrete CMS versions 9.0.0 through 9.3.2, update to a version above 9.3.2 to resolve the issue. For Concrete CMS versions below 8.5.18, update to version 8.5.18 or higher to resolve the issue. As a temporary workaround, consider restricting access to the RSS Displayer feature until a patch is available. Restrict administrator privileges to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.3.2 **Description** The issue is a stored XSS vulnerability in Board instances, which could allow a rogue administrator to inject malicious code. **Recommendations** For versions 9.0.0 through 9.3.2, update to a version that fixes this issue to prevent exploitation. As a temporary workaround, consider restricting access to Board instances until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9 through 9.3.2 Concrete CMS versions below 8.5.18 **Description** The issue concerns a Stored XSS vulnerability in the `getAttributeSetName()` function. A rogue administrator could inject malicious code. **Recommendations** For Concrete CMS versions 9 through 9.3.2, update to a version above 9.3.2 to resolve the issue. For Concrete CMS versions below 8.5.18, update to version 8.5.18 or higher to resolve the issue. As a temporary workaround, consider restricting access to the `getAttributeSetName()` function until a patch is available.