Description: Multiple Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.
Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Forms of "Data Objects" allows injecting JavaScript code that will be executed when the user accesses the web page.
When logging into the panel, we will go to the "System & Settings - Express - Data Objects from section off Dashboard Menu and we select one.
Within the chosen Data object, we go to the Forms option:
We click on the "Add Form" option:
In the details of the form we choose "Add Field Set":
Next, we choose the + option to add data to the form field:
The vulnerability works with various fields, for example with "Core Properties - Text":
Finally we edit the content to add the payload:
<><img src=1 onerror=alert('Custom')>
We add the indicated payload in the "Custom Label" field:
In the following image you can see the embedded code that executes the payload in the main web.
As I have indicated, it works in different fields, such as the following: