PT-2024-39158 · Unknown · Concrete Cms
Published
2024-09-17
·
Updated
2024-09-23
·
CVE-2024-8660
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions:
Concrete CMS versions 9.0.0 through 9.3.3
Description:
The issue is related to a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.
Recommendations:
For Concrete CMS versions 9.0.0 through 9.3.3, upgrade to a version that includes the fix for this vulnerability. As a temporary workaround, consider disabling the "Top Navigator Bar" block until a patch is available. Restrict access to the "Top Navigator Bar" block to minimize the risk of exploitation. Avoid using the "Top Navigator Bar" block in sensitive areas of the application until the issue is resolved.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Concrete Cms