CVE-2024-2753
Concrete CMS Stored XSS on the calendar color settings screen
2.0
LOW
CVSS 3.1
EPSS 0.25%
描述
Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without escaping. A rogue administrator could inject malicious javascript into the Calendar Color Settings screen which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N&version=3.1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator Thank you Rikuto Tauchi for reporting
如何修補 CVE-2024-2753
要修補 CVE-2024-2753,請將受影響套件升級到下列已修補版本。
- —升級至 9.2.8 或更新版本
CVE-2024-2753 正在被利用嗎?
低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 9.0.0RC1, < 9.2.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | LOW2.0 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N |