CVE-2023-44761: GitHub - sromanhu/ConcreteCMS-Stored-XSS---Forms: Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Form of the Da

ConcreteCMS Stored XSS v.9.2.1****Author: (Sergio)

Description: Multiple Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.

Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Forms of “Data Objects” allows injecting JavaScript code that will be executed when the user accesses the web page.

POC:

When logging into the panel, we will go to the "System & Settings - Express - Data Objects from section off Dashboard Menu and we select one.

Within the chosen Data object, we go to the Forms option:

We click on the “Add Form” option:

In the details of the form we choose "Add Field Set":

Next, we choose the + option to add data to the form field:

The vulnerability works with various fields, for example with "Core Properties - Text":

Finally we edit the content to add the payload:

XSS Payload:

<><img src=1 onerror=alert(‘Custom’)>

We add the indicated payload in the “Custom Label” field:

In the following image you can see the embedded code that executes the payload in the main web.

As I have indicated, it works in different fields, such as the following:

Additional Information:

https://www.concretecms.com/

https://owasp.org/Top10/es/A03_2021-Injection/