PT-2022-27011 · Unknown · Concrete Cms
Adrian Tiron
+1
·
Published
2022-11-14
·
Updated
2025-05-13
·
CVE-2022-43695
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS versions prior to 8.5.10
Concrete CMS versions 9.0.0 through 9.1.2
Description
The issue allows for Stored Cross-Site Scripting (XSS) in the dashboard/system/express/entities/associations endpoint because Concrete CMS permits association with an entity name that does not exist or, if it does exist, contains XSS since it was not properly sanitized.
Recommendations
For Concrete CMS versions prior to 8.5.10, update to version 8.5.10 or later.
For Concrete CMS versions 9.0.0 through 9.1.2, update to version 9.1.3 or later.
Fix
XSS
Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Concrete Cms