Myq Larson

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9 and earlier than 9.4.0RC2 Concrete CMS versions earlier than 8.5.20 **Description** The issue concerns Concrete CMS's Address attribute, where addresses are not properly sanitized in the output when a country is not specified, leading to CSRF and XSS vulnerabilities. Attackers can only target individuals granted the ability to fill in an address attribute by a site administrator. The attacker can obtain limited information from the site, with the amount and type restricted by mitigating controls and the attacker's level of access. Limited data modification is possible, and the dashboard page could become unavailable. **Recommendations** For Concrete CMS versions 9 and earlier than 9.4.0RC2, update to version 9.4.0RC2 or later to sanitize new data uploaded after the update. For Concrete CMS versions earlier than 8.5.20, update to version 8.5.20 or later. As a temporary workaround, consider restricting access to the Address attribute until the issue is resolved. It is recommended to perform a database search for existing database entries added before the update, as they may still be active if successful exploits were added in previous versions.