CVE-2023-44766

Name of the Vulnerable Software and Affected Versions Concrete CMS version 9.2.1

Description A Cross Site Scripting (XSS) issue allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. Note that the vendor disputes this, stating that allowing an admin to place JavaScript there is an intentional customization feature.

Recommendations For Concrete CMS version 9.2.1, consider restricting access to the SEO - Extra from Page Settings to minimize the risk of exploitation, as this feature can be used to execute arbitrary code. Additionally, ensure that only trusted administrators have access to this feature, as the vendor intends it for customization purposes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.