CVE-2024-4353 MEDIUM

CVE-2024-4353: Stored XSS in Generate Board Name Input Field

Vendor Concrete Cms

Product Concrete CMS

Weakness CWE-20 · Input validation

Published August 1, 2024

Last update January 17, 2025

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 4.6 with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Concrete versions below 9 are not affected by this vulnerability.Thanks fhAnso for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC).

Key dates

02Disclosure timeline

August 1, 2024 CVE published

January 17, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-4353 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

CVE-2024-4353: Stored XSS in Generate Board Name Input Field

01Description

02Disclosure timeline

03References

04Related CVE