Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-44761: GitHub - sromanhu/ConcreteCMS-Stored-XSS---Forms: Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Form of the Da

Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.

CVE
#xss#vulnerability#web#git#java#auth

ConcreteCMS Stored XSS v.9.2.1****Author: (Sergio)

Description: Multiple Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.

Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Forms of “Data Objects” allows injecting JavaScript code that will be executed when the user accesses the web page.

POC:

When logging into the panel, we will go to the "System & Settings - Express - Data Objects from section off Dashboard Menu and we select one.

Within the chosen Data object, we go to the Forms option:

We click on the “Add Form” option:

In the details of the form we choose "Add Field Set":

Next, we choose the + option to add data to the form field:

The vulnerability works with various fields, for example with "Core Properties - Text":

Finally we edit the content to add the payload:

XSS Payload:

<><img src=1 onerror=alert(‘Custom’)>

We add the indicated payload in the “Custom Label” field:

In the following image you can see the embedded code that executes the payload in the main web.

As I have indicated, it works in different fields, such as the following:

Additional Information:

https://www.concretecms.com/

https://owasp.org/Top10/es/A03_2021-Injection/

Related news

CVE-2023-48649: 2023-11-09 Security Blog about updated CVEs and new releases

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.

GHSA-p4jj-gwpg-9jwh: ConcreteCMS Cross-site Scripting vulnerability

Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907