CVE-2024-3180 LOW

CVE-2024-3180: Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-79 · XSS
Published April 3, 2024
Last update August 30, 2024
View on NVD All CVEs

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting.

Key dates

02Disclosure timeline

April 3, 2024 CVE published
August 30, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-51904 WordPress Embed documents shortcode plugin <= 1.5 - Stored Cross Site Scripting (XSS) vulnerability CVE-2026-33883 Statamic has Reflected XSS via unescaped redirect parameter in its password reset form tag CVE-2025-67618 WordPress Brookside theme <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2023-31217 WordPress User Location and IP Plugin <= 1.6 is vulnerable to Cross Site Scripting (XSS) CVE-2023-30748 WordPress Easy Appointments plugin <= 3.10.7 - Auth. Stored Cross-Site Scripting (XSS) vulnerability