CVE-2023-28820

LOW2.0EPSS 0.47%

Stored cross site scripting in RSS displayer

Published: 4/28/2023Modified: 2/16/2024

Description

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

Affected packages (1)

Packagist/concrete5/concrete5from 0, < 9.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-28820
PATCHhttps://github.com/concretecms/concretecms
WEBhttps://github.com/concretecms/concretecms/releases
WEBhttps://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20