CVE-2023-49337

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 8.6 through 9.2.2

Description The issue allows Stored XSS on the Admin Dashboard via the "/dashboard/system/basics/name" API endpoint. The name variable is vulnerable to this type of attack. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited.

Recommendations For Concrete CMS versions 8.6 through 9.2.2, update to version 9.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/dashboard/system/basics/name" API endpoint until a patch is available. Avoid using the name variable in the affected API endpoint until the issue is resolved.