CVE-2024-3180

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.0.0 through 9.2.7 Concrete CMS versions 8.5.15 and earlier

Description The issue is related to Stored XSS in blocks of type file, which could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file.

Recommendations For Concrete CMS version 9, update to version 9.2.8 or later. For Concrete CMS versions prior to 8.5.16, update to version 8.5.16 or later. As a temporary workaround, consider restricting access to the block creation feature to minimize the risk of exploitation.