CVE-2024-7398 MEDIUM

CVE-2024-7398: Concrete CMS Stored XSS Vulnerability in Calendar Event Addition Feature

Vendor Concrete Cms
Product Concrete CMS
Weakness CWE-79 · XSS
Published September 24, 2024
Last update January 20, 2025

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

What the vulnerability does

01Description

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting. CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)

Key dates

02Disclosure timeline

September 24, 2024 CVE published
January 20, 2025 Record updated