CVE-2024-8660
MEDIUM4.8EPSS 0.31%Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block
發布日:2024/9/17修改日:2024/9/17
描述
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page. This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.
受影響套件(1)
- Packagist/concrete5/concrete5>= 9.0.0, < 9.3.3
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-8660
- PATCHhttps://github.com/concretecms/concretecms
- WEBhttps://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes
- WEBhttps://github.com/concretecms/concretecms/commit/f5a01c88fb2630db96e58dcd7f52ea41e516d4e9
- WEBhttps://github.com/concretecms/concretecms/pull/12128