CVE-2023-44763

Name of the Vulnerable Software and Affected Versions Concrete CMS version 9.2.1

Description The issue allows for Arbitrary File Upload via a Thumbnail file upload, which can lead to Cross-Site Scripting (XSS). This is possible even with the default configuration, where 'pdf' is one of the allowed file types, despite the vendor's stance that customers should exclude 'pdf' from allowed file types.

Recommendations For Concrete CMS version 9.2.1, consider excluding 'pdf' from the allowed file types in the configuration to mitigate the risk of Arbitrary File Upload and subsequent Cross-Site Scripting (XSS) attacks. As a temporary workaround, restrict the use of the Thumbnail file upload feature until a proper fix is applied.