CVE Vulnerability

CVE-2022-43556

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.

6.1 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes Release Notes Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes Release Notes Vendor Advisory
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Information

Published : 2022-12-05 10:15

Updated : 2022-12-07 03:18

NVD link : CVE-2022-43556

Mitre link : CVE-2022-43556

Products Affected
No products.
CWE
CWE-79