PT-2023-21745 · Unknown · Concrete Cms
Bogdan Tiron
·
Published
2023-04-28
·
Updated
2023-12-06
·
CVE-2023-28475
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS (previously concrete5) versions 8.5.12 and below
Concrete CMS (previously concrete5) versions 9.0 through 9.1.3
Description
The issue is related to Reflected XSS on the Reply form because the
msgID was not sanitized. This allows for potential exploitation.Recommendations
For versions 8.5.12 and below, update to version 9.2 or later.
For versions 9.0 through 9.1.3, update to version 9.2 or later.
As a temporary workaround, consider restricting access to the Reply form until a patch is available.
Avoid using the
msgID parameter in the affected Reply form endpoint until the issue is resolved.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms