PT-2023-21747 · Unknown · Concrete Cms
Veshraj Ghimire
·
Published
2023-04-28
·
Updated
2023-12-06
·
CVE-2023-28477
CVSS v3.1
5.5
Medium
| Vector | AC:L/AV:N/A:N/C:H/I:L/PR:H/S:U/UI:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS (previously concrete5) versions 8.5.12 and below
Concrete CMS (previously concrete5) versions 9.0 through 9.1.3
Description
The issue concerns stored XSS on API Integrations via the
name parameter. This allows for potential exploitation through malicious input in the name parameter of API Integrations.Recommendations
For Concrete CMS (previously concrete5) versions 8.5.12 and below, update to version 9.2 or later to resolve the issue.
For Concrete CMS (previously concrete5) versions 9.0 through 9.1.3, update to version 9.2 or later to resolve the issue.
As a temporary workaround, consider restricting input for the
name parameter in API Integrations to minimize the risk of exploitation.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms