Skip to content

Cross site scripting in Concrete CMS

Low severity GitHub Reviewed Published Jun 25, 2022 to the GitHub Advisory Database • Updated Jan 27, 2023

Package

composer concrete5/core (Composer)

Affected versions

>= 9.0.0, < 9.1.0
< 8.5.8

Patched versions

9.1.0
8.5.8

Description

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output.

References

Published by the National Vulnerability Database Jun 24, 2022
Published to the GitHub Advisory Database Jun 25, 2022
Reviewed Jun 29, 2022
Last updated Jan 27, 2023

Severity

Low
3.1
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Weaknesses

CVE ID

CVE-2022-30120

GHSA ID

GHSA-m2ww-6wv6-vw3c

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.