PT-2024-38919 · Unknown · Concrete Cms
Aembler
+1
·
Published
2024-09-24
·
Updated
2025-01-17
·
CVE-2024-8291
CVSS v4.0
5.1
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions:
Concrete CMS versions 9.0.0 through 9.3.3
Concrete CMS versions below 8.5.19
Description:
The issue concerns Stored XSS in the Image Editor Background Color, where a rogue admin could add malicious code to the
Thumbnails/Add-Type. This could potentially lead to security breaches.Recommendations:
For Concrete CMS versions 9.0.0 through 9.3.3, update to a version above 9.3.3 to resolve the issue.
For Concrete CMS versions below 8.5.19, update to version 8.5.19 or higher to resolve the issue.
As a temporary workaround, consider restricting access to the
Thumbnails/Add-Type to minimize the risk of exploitation.Fix
Path traversal
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Concrete Cms