CVE-2023-28820

Name of the Vulnerable Software and Affected Versions Concrete CMS (previously concrete5) versions prior to 9.1

Description The issue concerns stored XSS in the RSS Displayer via the href attribute. This occurs because the link element input was not sanitized, allowing for potential exploitation.

Recommendations For versions prior to 9.1, update to version 9.1 or later to resolve the issue. As a temporary workaround, consider disabling the RSS Displayer feature until a patch is available. Restrict access to the RSS Displayer module to minimize the risk of exploitation. Avoid using the href attribute in the RSS Displayer until the issue is resolved.