Today > vulnerabilities   -   You can now download lists of IOCs here!

CVE-2024-4353

Aug. 1, 2024, 7:15 p.m.

Tags

CWE-20
2024-08-01
CVE-2024-4353
ff5b8ace-8b95-4078-9743-eac1ca5451de

Product(s) Impacted

Concrete CMS

  • 9.0.0
  • 9.0.1
  • 9.0.2
  • 9.0.3
  • 9.0.4
  • 9.0.5
  • 9.0.6
  • 9.0.7
  • 9.0.8
  • 9.0.9
  • 9.1.0
  • 9.1.1
  • 9.1.2
  • 9.1.3
  • 9.1.4
  • 9.1.5
  • 9.2.0
  • 9.2.1
  • 9.2.2
  • 9.2.3
  • 9.2.4
  • 9.2.5
  • 9.3.0
  • 9.3.1
  • 9.3.2

Description

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator  and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.

Weaknesses

CWE-20
Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE ID: 20

Date

Published: Aug. 1, 2024, 7:15 p.m.

Last Modified: Aug. 1, 2024, 7:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

ff5b8ace-8b95-4078-9743-eac1ca5451de

References

https://github.com/ ff5b8ace-8b95-4078-9743-eac1ca5451de