CVE-2024-3181 LOW

CVE-2024-3181: Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field.

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-79 · XSS
Published April 3, 2024
Last update August 30, 2024

CVSS base score

3.1/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting

Key dates

02Disclosure timeline

April 3, 2024 CVE published
August 30, 2024 Record updated