Poto Gabor

**Name of the Vulnerable Software and Affected Versions** Concrete CMS version 9 before 9.2.5 **Description** The issue concerns stored XSS in file tags and description attributes. Administrator-entered file attributes are not sufficiently sanitized in the Edit Attributes page, allowing a rogue administrator to put malicious code into the file tags or description attributes. This malicious code could execute when another administrator opens the same file for editing. **Recommendations** For Concrete CMS version 9 before 9.2.5, update to version 9.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Edit Attributes page to minimize the risk of exploitation. Additionally, avoid using unsanitized input from administrator-entered file attributes in the file tags or description attributes until the issue is resolved.