Zeroinside

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 8.5.7 and below Concrete CMS versions 9.0 through 9.0.2 **Description** The issue allows for XSS when editing a form control in an express entities form using Internet Explorer with XSS protection disabled. This cannot be exploited in modern web browsers due to automatic input escape mechanisms. The estimated number of potentially affected devices is not provided. **Recommendations** For Concrete CMS versions 8.5.7 and below, update to a version above 8.5.7 to resolve the issue. For Concrete CMS versions 9.0 through 9.0.2, update to a version above 9.0.2 to resolve the issue. As a temporary workaround, consider disabling the use of Internet Explorer or enabling XSS protection until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 8.5.7 and below Concrete CMS versions 9.0 through 9.0.2 **Description** The issue is related to insufficient sanitation of built URLs in the /dashboard/reports/logs/view endpoint, which can be exploited for XSS attacks. This can only be exploited when using old browsers, such as Internet Explorer with XSS protection disabled, due to the lack of automatic input escape mechanisms in these browsers. **Recommendations** For Concrete CMS versions 8.5.7 and below, update to a version above 8.5.7 to resolve the issue. For Concrete CMS versions 9.0 through 9.0.2, update to a version above 9.0.2 to resolve the issue. As a temporary workaround, consider disabling the use of the /dashboard/reports/logs/view endpoint in old browsers until a patch is available. Restrict access to the /dashboard/reports/logs/view endpoint to minimize the risk of exploitation.