Tenzai

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.5.1 **Description** Stored Cross-Site Scripting (XSS) occurs via the 'external-link' page `cvName` because the `updateCollectionAliasExternal()` function bypasses sanitization. Stored XSS is a flaw where malicious scripts are permanently stored on the target server, which then serves them to other users. **Recommendations** Update to a version newer than 9.5.0. As a temporary workaround, restrict access to the `updateCollectionAliasExternal()` function to minimize the risk of exploitation.