PT-2019-9735 · Concrete5 · Concrete5

Hexife

Published

2019-06-17

Updated

2021-07-15

CVE-2018-19146

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Concrete5 version 8.4.3

Description The issue allows for XSS attacks because the config/concrete.php file permits administrators to upload SVG files that may contain HTML data with a SCRIPT element.

Recommendations For Concrete5 version 8.4.3, consider restricting the upload of SVG files or ensure that all uploaded files are thoroughly validated to prevent the inclusion of malicious HTML data, such as SCRIPT elements, until a proper fix is available.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-19146

Affected Products

Concrete5

PT-2019-9735 · Concrete5 · Concrete5

CVE-2018-19146

Weakness Enumeration

Related Identifiers

Affected Products

References · 7