Wezery0

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 8.5.13 and earlier Concrete CMS versions 9.0.0 through 9.2.2 **Description** The issue allows an admin to add a stored XSS payload via the Layout Preset name, potentially affecting user interactions with the system. **Recommendations** For Concrete CMS versions 8.5.13 and earlier, update to version 8.5.14 or later. For Concrete CMS versions 9.0.0 through 9.2.2, update to version 9.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 8.5.6 **Description** The issue concerns a CSRF vulnerability in the Calendar component of Concrete CMS. Specifically, the `ccm token` is not verified on the "ccm/calendar/dialogs/event/add/save" endpoint, making it susceptible to cross-site request forgery attacks. **Recommendations** For versions prior to 8.5.6, update to version 8.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "ccm/calendar/dialogs/event/add/save" endpoint until a patch is available.