CVE-2025-8571
EPSS 0.26%Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page
Published: 8/6/2025Modified: 8/6/2025
Also known as:GHSA-4pcg-pjp5-3mc6
Description
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions.
Affected packages (1)
- Packagist/concrete5/concrete5from 0, < 8.5.21
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
References (7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-8571
- PATCHhttps://github.com/concretecms/concretecms
- WEBhttps://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes
- WEBhttps://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes
- WEBhttps://github.com/concretecms/concretecms/commit/4b39dcc17c309dc82eb8398e8cdb146942f62f92
- WEBhttps://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6
- WEBhttps://www.concretecms.org/download