CVE-2025-8571
EPSS 0.26%Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page
發布日:2025/8/6修改日:2025/8/6
描述
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions.
受影響套件(1)
- Packagist/concrete5/concrete5from 0, < 8.5.21
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-8571
- PATCHhttps://github.com/concretecms/concretecms
- WEBhttps://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes
- WEBhttps://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes
- WEBhttps://github.com/concretecms/concretecms/commit/4b39dcc17c309dc82eb8398e8cdb146942f62f92
- WEBhttps://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6
- WEBhttps://www.concretecms.org/download