Headline
CVE-2023-44761: GitHub - sromanhu/ConcreteCMS-Stored-XSS---Forms: Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Form of the Da
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.
ConcreteCMS Stored XSS v.9.2.1****Author: (Sergio)
Description: Multiple Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.
Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Forms of “Data Objects” allows injecting JavaScript code that will be executed when the user accesses the web page.
POC:
When logging into the panel, we will go to the "System & Settings - Express - Data Objects from section off Dashboard Menu and we select one.
Within the chosen Data object, we go to the Forms option:
We click on the “Add Form” option:
In the details of the form we choose "Add Field Set":
Next, we choose the + option to add data to the form field:
The vulnerability works with various fields, for example with "Core Properties - Text":
Finally we edit the content to add the payload:
XSS Payload:
<><img src=1 onerror=alert(‘Custom’)>
We add the indicated payload in the “Custom Label” field:
In the following image you can see the embedded code that executes the payload in the main web.
As I have indicated, it works in different fields, such as the following:
Additional Information:
https://www.concretecms.com/
https://owasp.org/Top10/es/A03_2021-Injection/
Related news
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.