CVE-2025-0660

March 10, 2025, 9:15 p.m.

None
No Score

Description

Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names.  The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.

Product(s) Impacted

Product Versions
Concrete CMS
  • 9.0.0
  • 9.0.1
  • 9.0.2
  • 9.0.3
  • 9.0.4
  • 9.0.5
  • 9.0.6
  • 9.0.7
  • 9.0.8
  • 9.0.9
  • 9.1.0
  • 9.1.1
  • 9.1.2
  • 9.1.3
  • 9.1.4
  • 9.1.5
  • 9.1.6
  • 9.1.7
  • 9.1.8
  • 9.1.9
  • 9.2.0
  • 9.2.1
  • 9.2.2
  • 9.2.3
  • 9.2.4
  • 9.2.5
  • 9.2.6
  • 9.2.7
  • 9.2.8
  • 9.2.9
  • 9.3.0
  • 9.3.1
  • 9.3.2
  • 9.3.3
  • 9.3.4
  • 9.3.5
  • 9.3.6
  • 9.3.7
  • 9.3.8
  • 9.3.9

Weaknesses

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes
https://github.com/concretecms/bedrock/pull/370
https://github.com/concretecms/concretecms/pull/12454

Tags

CWE-20
ff5b8ace-8b95-4078-9743-eac1ca5451de
2025-03-10
CVE-2025-0660

Date

  • Published: March 10, 2025, 9:15 p.m.
  • Last Modified: March 10, 2025, 9:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

ff5b8ace-8b95-4078-9743-eac1ca5451de

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.