Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-9qhc-pg6j-wf23: Concrete CMS Stored XSS in blocks of type file

Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Prior to fix, stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting.

ghsa
#xss#vulnerability#git

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-3180

Concrete CMS Stored XSS in blocks of type file

Low severity GitHub Reviewed Published Apr 3, 2024 to the GitHub Advisory Database • Updated Apr 3, 2024

Package

composer concrete5/concrete5 (Composer)

Affected versions

>= 9.0.0RC1, < 9.2.8

< 8.5.16

Patched versions

9.2.8

8.5.16

Description

Published to the GitHub Advisory Database

Apr 3, 2024

ghsa: Latest News

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP