CVE-2024-1245

Name of the Vulnerable Software and Affected Versions Concrete CMS version 9 before 9.2.5

Description The issue concerns stored XSS in file tags and description attributes. Administrator-entered file attributes are not sufficiently sanitized in the Edit Attributes page, allowing a rogue administrator to put malicious code into the file tags or description attributes. This malicious code could execute when another administrator opens the same file for editing.

Recommendations For Concrete CMS version 9 before 9.2.5, update to version 9.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Edit Attributes page to minimize the risk of exploitation. Additionally, avoid using unsanitized input from administrator-entered file attributes in the file tags or description attributes until the issue is resolved.