CVE-2024-3179

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.0.0 through 9.2.7 Concrete CMS versions 8.0.0 through 8.5.15

Description The issue concerns Stored XSS in the Custom Class page editing, where a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator-provided data.

Recommendations For Concrete CMS versions 9.0.0 through 9.2.7, update to version 9.2.8 or later. For Concrete CMS versions 8.0.0 through 8.5.15, update to version 8.5.16 or later. As a temporary workaround, consider restricting access to the Custom Class page editing feature until a patch is available.

Fix

XSS

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-20

Related Identifiers

CVE-2024-3179

GHSA-R7Q4-CW9R-VHP4

Affected Products

Concrete Cms

CVE-2024-3179

Weakness Enumeration

Related Identifiers

Affected Products

References · 14