Back

CVE-2024-4353

Aug. 1, 2024, 7:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

Concrete CMS

  • 9.0.0
  • 9.0.1
  • 9.0.2
  • 9.0.3
  • 9.0.4
  • 9.0.5
  • 9.0.6
  • 9.0.7
  • 9.0.8
  • 9.0.9
  • 9.1.0
  • 9.1.1
  • 9.1.2
  • 9.1.3
  • 9.1.4
  • 9.1.5
  • 9.2.0
  • 9.2.1
  • 9.2.2
  • 9.2.3
  • 9.2.4
  • 9.2.5
  • 9.3.0
  • 9.3.1
  • 9.3.2

Source

ff5b8ace-8b95-4078-9743-eac1ca5451de

Tags

CWE-20
2024-08-01
CVE-2024-4353
ff5b8ace-8b95-4078-9743-eac1ca5451de

CVE-2024-4353 details

Published : Aug. 1, 2024, 7:15 p.m.
Last Modified : Aug. 1, 2024, 7:15 p.m.

Description

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator  and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description
CWE-20 Improper Input Validation The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

URL Source
https://github.com/concretecms/concretecms/pull/12151 ff5b8ace-8b95-4078-9743-eac1ca5451de
This website uses the NVD API, but is not approved or certified by it.