CVE-2023-44760

Name of the Vulnerable Software and Affected Versions Concrete CMS version 9.2.1

Description The issue concerns multiple Cross Site Scripting (XSS) vulnerabilities that allow an attacker to execute arbitrary code via a crafted script. This can be done by exploiting the Header and Footer Tracking Codes of the SEO & Statistics, or the SEO - Extra from Page Settings. The vendor disputes the severity of this issue, stating that the ability to place JavaScript in these areas is an intentional customization feature for admins. However, it's noted that the exploitation method does not provide access to a Concrete CMS session due to the HttpOnly configuration of the session cookie.

Recommendations For Concrete CMS version 9.2.1, consider restricting access to the Header and Footer Tracking Codes of the SEO & Statistics, as well as the SEO - Extra from Page Settings, to minimize the risk of exploitation. Additionally, admins should be cautious when placing custom scripts in these areas to avoid potential security risks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.