Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-48649: 2023-11-09 Security Blog about updated CVEs and new releases

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.

CVE
#xss#vulnerability#java#auth

There have been a number of medium and low security vulnerabilities that have been fixed in version 9.2.2. Also, as part of our commitment to extend support to Concrete CMS version 8.5 through 2024, we have backported a large number of security fixes into Concrete 8.5.13. We are also updating a number of published Concrete CVEs to clarify that they do not apply to version 8.5.

Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security and https://hackerone.com/concretecms?type=team so that they can be triaged and remediated by the Concrete Team!

Fixes in both Releases 9.2.2 and 8.5.13

The following security fixes were put in place for both Concrete 9.2.2 and 8.5.13. We have obtained two new Concrete CMS CVEs to advise the community of validated weaknesses in previous versions.

  • We updated to Guzzle 6.5.8 (for Concrete 8.5.13) and to Guzzle 7.8 (for Concrete 9.2.2) to ensure Concrete CMS is not vulnerable to Guzzle CVE-2023-29197. Thank you Danilo Costa for reporting H1 2132287!
  • We are issuing a CVE because directories could be created with insecure permissions since file creation functions gave universal access (0777) to created folders by default. Excessive permissions could be granted when creating a directory with permissions greater than 0755 or when the permissions argument was not specified. The Concrete CMS Security team scored this 6.6 (Medium) with CVSS v3 vector [AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H] Thanks tahabiyikli-vortex for reporting H12122245. Thanks Mlocati for providing the fix.
  • We are issuing a CVE ​​​​​​since stored XSS on the Concrete Admin page was possible due to unsanitized uploaded file names. The Concrete CMS Security team scored this 3.5 with CVSS v3 vector [AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N] Thanks @akbar_jafarli for reporting H1 2149479

We remediated the following two CVEs that were not created by the Concrete CMS Team. We implore the community to report vulnerabilities to the Core Team so that they can be remediated before being advertised. This helps keep Concrete safer for all.

  • CVE-2023-44761 so that Concrete Admins cannot add XSS via Data Objects.
  • CVE-2023-44765 so Concrete Admins cannot add Stored XSS Associations (via Data Objects)

**CVEs Not Applicable to Concrete 8.5 **

The following CVEs only affect Concrete Versions 9.0 to 9.13. We are communicating with MITRE to have them updated to clearly identify that they do not affect version 8.5 and below. .

  • CVE-2023-28471 since Concrete versions below 9 do not use containers.
  • CVE-2023-28474 since the vulnerability was introduced in version 9.
  • CVE-2023-28475 since the file details page does not exist in the Concrete Dashboard below version 9.0.0

Fixes in Release 8.5.13

In addition to better sanitization of Plural handles and Custom labels in Express objects, the following CVEs were fixed for the Concrete 8.5 version. We are working with MITRE to have update the CVEs to reflect the applicable versions. Prior to these fixes, the Concrete 8.5 version was vulnerable to:

CVE-2023-28477 stored XSS on API Integrations via the name parameter. Prior to the fix, while adding API Integrations on Concrete CMS, the parameter name accepted special characters enabling malicious JavaScript payloads impacting /dashboard/system/api/integrations and /dashboard/system/api/integrations/view_client/unique-id. The Concrete CMS Security team scored this 5.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N Thanks again Veshraj Ghimire for reporting H1 1753684 and providing the original fix.

CVE-2023-28475 reflected XSS on the Reply form because msgID was not sanitized in the 8.5 version. The Concrete CMS Team ranked this 4.2 (medium) With CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N] Thanks again Bogdan Tiron for the discovery.

CVE-2023-28819 stored XSS in uploaded file and folder names since Concrete CMS was rendering data without sanitizing it. The Concrete CMS Security team scored this 3.5 with CVSS v3.1 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N. Thanks again solov9ev for reporting H1 1472270.

CVE-2023-28472 not having a way to set Secure and HTTP only attributes for ccmPoll cookies. We updated the Survey Block Controller. We added support for the concrete.session.cookie.cookie_secure value to the ccmPoll cookie (which developers can set to true if they want to use secure cookies. The Concrete CMS Security team scored this 3.4 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

CVE-2023-28473 possible Auth bypass in the jobs section. The Concrete CMS Security team scored this 2.2 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N Thanks again Adrian Tiron from Fortbridge for reporting H1 1772230.

Related news

Ubuntu Security Notice USN-6671-1

Ubuntu Security Notice 6671-1 - It was discovered that php-nyholm-psr7 incorrectly parsed HTTP headers. A remote attacker could possibly use this issue to perform an HTTP header injection attack.

Ubuntu Security Notice USN-6670-1

Ubuntu Security Notice 6670-1 - It was discovered that php-guzzlehttp-psr7 incorrectly parsed HTTP headers. A remote attacker could possibly use these issues to perform an HTTP header injection attack.

GHSA-36fr-3wg8-q5v8: Concrete CMS Cross-site Scripting vulnerability

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.

GHSA-p4jj-gwpg-9jwh: ConcreteCMS Cross-site Scripting vulnerability

Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.

GHSA-6xx7-r8x4-fpjp: ConcreteCMS Cross-site Scripting vulnerability

A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.

CVE-2023-44761: GitHub - sromanhu/ConcreteCMS-Stored-XSS---Forms: Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Form of the Da

Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.

CVE-2023-44765: GitHub - sromanhu/ConcreteCMS-Stored-XSS---Associations: Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Plural

A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.

GHSA-xfmj-r86m-j2hr: Stored cross site scripting on API integration

Concrete CMS (previously concrete5) before 9.2 is vulnerable to stored XSS on API Integrations via the name parameter.

GHSA-474f-mcjv-pgrm: Stored cross site scripting

Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names.

GHSA-9h33-5fxw-r2xv: Stored cross site scripting via container name

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS via a container name.

GHSA-2j26-j953-2rph: Stored cross site scripting on saved presets

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Saved Presets on search.

GHSA-vcpr-hm2m-gjjj: Reflected cross site scripting

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.

GHSA-pj76-75cm-3552: Authenication bypass

Concrete CMS (previously concrete5) before 9.2 is vulnerable to possible Auth bypass in the jobs section.

GHSA-f55r-8rcv-mqcf: Missing secure cookie parameters

Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.

CVE-2023-28471: Home

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS via a container name.

CVE-2023-29530: HTTP Multiline Header Termination

Laminas Diactoros provides PSR HTTP Message implementations. In versions 2.18.0 and prior, 2.19.0, 2.20.0, 2.21.0, 2.22.0, 2.23.0, 2.24.0, and 2.25.0, users who create HTTP requests or responses using laminas/laminas-diactoros, when providing a newline at the start or end of a header key or value, can cause an invalid message. This can lead to denial of service vectors or application errors. The problem has been patched in following versions 2.18.1, 2.19.1, 2.20.1, 2.21.1, 2.22.1, 2.23.1, 2.24.1, and 2.25.1. As a workaround, validate HTTP header keys and/or values, and if using user-supplied values, filter them to strip off leading or trailing newline characters before calling `withHeader()`.

GHSA-wxmh-65f7-jcvw: Improper header name validation in guzzlehttp/psr7

### Impact Improper header parsing. An attacker could sneak in a newline (`\n`) into both the header names and values. While the specification states that `\r\n\r\n` is used to terminate the header list, many servers in the wild will also accept `\n\n`. ### Patches The issue is patched in 1.9.1 and 2.4.5. ### Workarounds There are no known workarounds. ### References * https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4

CVE-2023-30536: Improper header validation in slim/psr7

slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions prior to 1.6.1 an attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. An attacker that is able to control the header names that are passed to Slilm-Psr7 would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests. The issue has been patched in version 1.6.1. There are no known workarounds to this issue. Users are advised to upgrade.

CVE-2023-29197: Improper Input Validation in guzzlehttp/psr7

guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. This is a follow-up to CVE-2022-24775 where the fix was incomplete. The issue has been patched in versions 1.9.1 and 2.4.5. There are no known workarounds for this vulnerability. Users are advised to upgrade.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907