CVE-2024-7394 MEDIUM

CVE-2024-7394: Concrete CMS version 9.0.0 through 9.3.2 and below 8.5.18 - Stored XSS in getAttributeSetName()

Vendor Concrete Cms

Product Concrete CMS

Weakness CWE-79 · XSS

Published August 8, 2024

Last update September 25, 2025

View on NVD All CVEs

CVSS base score

4.6/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, m3dium for reporting. (CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)

Key dates

02Disclosure timeline

August 8, 2024 CVE published

September 25, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-7394

Related vulnerabilities

Identifiers

CVE CVE-2024-7394

CWE CWE-79

CVSS 4.6 / MEDIUM

Affected versions

Vendor Concrete Cms

Product Concrete CMS

Affected ≥ 9 and < 9.3.3

Vendor Concrete Cms

Product Concrete CMS

Affected ≥ 5 and < 8.5.18

CVE-2024-7394: Concrete CMS version 9.0.0 through 9.3.2 and below 8.5.18 - Stored XSS in getAttributeSetName()

01Description

02Disclosure timeline

03References

04Related CVE