CVE-2022-30120

Name of the Vulnerable Software and Affected Versions Concrete versions 8.5.7 and below Concrete versions 9.0 through 9.0.2

Description The issue is related to insufficient sanitation where built URLs are outputted, which can be exploited for XSS attacks when using an older browser with built-in XSS protection disabled. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. The API endpoint "/dashboard/blocks/stacks/view details/" is affected.

Recommendations For Concrete versions 8.5.7 and below, update to a version above 8.5.7 to resolve the issue. For Concrete versions 9.0 through 9.0.2, update to a version above 9.0.2 to resolve the issue. As a temporary workaround, consider disabling the use of the "/dashboard/blocks/stacks/view details/" endpoint in older browsers until a patch is available.