CVE-2024-1245 LOW

CVE-2024-1245: Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes

Vendor Concrete Cms

Product Concrete CMS

Weakness CWE-20 · Input validation

Published February 9, 2024

Last update August 19, 2024

View on NVD All CVEs

CVSS base score

2.4/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.

Key dates

02Disclosure timeline

February 9, 2024 CVE published

August 19, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1245 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2024-1245: Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes

01Description

02Disclosure timeline

03References

04Related CVE