CVE-2024-2753

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.0.0 through 9.2.7 Concrete CMS versions prior to 8.5.16

Description The issue concerns a Stored XSS vulnerability on the calendar color settings screen. This occurs because user input is output without proper escaping, allowing a rogue administrator to inject malicious JavaScript into the Calendar Color Settings screen. This malicious code might be executed when users visit the affected page.

Recommendations For Concrete CMS versions 9.0.0 through 9.2.7, update to version 9.2.8 or later. For Concrete CMS versions prior to 8.5.16, update to version 8.5.16 or later. As a temporary workaround, consider restricting access to the calendar color settings screen to minimize the risk of exploitation.

Fix

XSS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-20

Related Identifiers

CVE-2024-2753

GHSA-PJ42-R64F-4XFQ

Affected Products

Concrete Cms

CVE-2024-2753

Weakness Enumeration

Related Identifiers

Affected Products

References · 11