CVE-2024-2179 LOW

CVE-2024-2179: Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-79 · XSS
Published March 5, 2024
Last update August 30, 2024
View on NVD All CVEs

CVSS base score

2.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.2 with a vector of AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting.

Key dates

02Disclosure timeline

March 5, 2024 CVE published
August 30, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-54037 Adobe Connect | Cross-site Scripting (DOM-based XSS) (CWE-79) CVE-2024-43951 WordPress Tempera theme <= 1.8.2 - Cross Site Scripting (XSS) vulnerability CVE-2024-45094 IBM DS8900F and DS8A00 Hardware Management Console (HMC) cross-site scripting CVE-2023-5740 Live Chat with Facebook Messenger <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2023-45609 WordPress Powr Pack Plugin <= 2.1.0 is vulnerable to Cross Site Scripting (XSS)