Yusuke Uchida

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9 through 9.3.3 Concrete CMS versions below 8.5.19 **Description** The issue is related to stored XSS in the calendar event addition feature. This occurs because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. **Recommendations** For Concrete CMS versions 9 through 9.3.3, update to a version above 9.3.3 to resolve the issue. For Concrete CMS versions below 8.5.19, update to version 8.5.19 or higher to resolve the issue. As a temporary workaround, consider restricting access to the calendar event addition feature for users or groups with permission to create or modify event calendars until a patch is available.