CVE-2023-28820

LOW2.0EPSS 0.47%

Stored cross site scripting in RSS displayer

發布日:2023/4/28修改日:2024/2/16

描述

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

受影響套件(1)

Packagist/concrete5/concrete5from 0, < 9.1.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW2.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-28820
PATCHhttps://github.com/concretecms/concretecms
WEBhttps://github.com/concretecms/concretecms/releases
WEBhttps://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20