CVE-2025-8571

Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.0.0 through 9.4.2 Concrete CMS versions prior to 8.5.21

Description The software is vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could lead to session cookie or token theft, web content defacement, redirection to malicious sites, and potentially unauthorized actions if the victim is an administrator.

Recommendations Concrete CMS versions 9.0.0 through 9.4.2: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Concrete CMS versions prior to 8.5.21: At the moment, there is no information about a newer version that contains a fix for this vulnerability.