CVE-2022-30119

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 8.5.7 and below Concrete CMS versions 9.0 through 9.0.2

Description The issue is related to insufficient sanitation of built URLs in the /dashboard/reports/logs/view endpoint, which can be exploited for XSS attacks. This can only be exploited when using old browsers, such as Internet Explorer with XSS protection disabled, due to the lack of automatic input escape mechanisms in these browsers.

Recommendations For Concrete CMS versions 8.5.7 and below, update to a version above 8.5.7 to resolve the issue. For Concrete CMS versions 9.0 through 9.0.2, update to a version above 9.0.2 to resolve the issue. As a temporary workaround, consider disabling the use of the /dashboard/reports/logs/view endpoint in old browsers until a patch is available. Restrict access to the /dashboard/reports/logs/view endpoint to minimize the risk of exploitation.