Mnkras

**Name of the Vulnerable Software and Affected Versions** concrete5 versions prior to 5.6.3.4 **Description** The issue is caused by insufficient filtration of user-supplied data, specifically the `disable choose` parameter, passed to the "concrete5-legacy-master/web/concrete/tools/files/search dialog.php" URL. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website. **Recommendations** For concrete5 versions prior to 5.6.3.4, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "concrete5-legacy-master/web/concrete/tools/files/search dialog.php" URL to minimize the risk of exploitation. Avoid using the `disable choose` parameter in the affected URL until the issue is resolved.