PT-2024-38322 · Unknown · Concrete Cms
Aembler
+1
·
Published
2024-09-24
·
Updated
2025-01-21
·
CVE-2024-7398
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Concrete CMS versions 9 through 9.3.3
Concrete CMS versions below 8.5.19
Description
The issue is related to stored XSS in the calendar event addition feature. This occurs because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts.
Recommendations
For Concrete CMS versions 9 through 9.3.3, update to a version above 9.3.3 to resolve the issue.
For Concrete CMS versions below 8.5.19, update to version 8.5.19 or higher to resolve the issue.
As a temporary workaround, consider restricting access to the calendar event addition feature for users or groups with permission to create or modify event calendars until a patch is available.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms