PT-2024-30594 · Unknown · Concrete Cms
Aembler
+1
·
Published
2024-08-09
·
Updated
2025-01-17
·
CVE-2024-4350
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS versions 9.0.0 through 9.3.2
Concrete CMS versions below 8.5.18
Description
The issue concerns Stored XSS in the RSS Displayer of Concrete CMS, where user input is stored and later embedded into responses. This occurs due to insufficient input validation, allowing a rogue administrator to inject malicious code into fields.
Recommendations
For Concrete CMS versions 9.0.0 through 9.3.2, update to a version above 9.3.2 to resolve the issue.
For Concrete CMS versions below 8.5.18, update to version 8.5.18 or higher to resolve the issue.
As a temporary workaround, consider restricting access to the RSS Displayer feature until a patch is available.
Restrict administrator privileges to minimize the risk of exploitation.
Fix
XSS
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Concrete Cms