Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00NzRmLW1janYtcGdybc4AAzA4
Concrete CMS (previously concrete5) is vulnerable to stored XSS in uploaded file and folder names
Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names.
Permalink: https://github.com/advisories/GHSA-474f-mcjv-pgrmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00NzRmLW1janYtcGdybc4AAzA4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: about 1 year ago
Updated: 5 months ago
CVSS Score: 3.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Identifiers: GHSA-474f-mcjv-pgrm, CVE-2023-28819
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-28819
- https://github.com/concretecms/concretecms/releases
- https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20
- https://github.com/concretecms/concretecms/pull/11749
- https://github.com/concretecms/concretecms/releases/tag/8.5.13
- https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release
- https://github.com/advisories/GHSA-474f-mcjv-pgrm
Blast Radius: 3.0
Affected Packages
packagist:concrete5/concrete5
Dependent packages: 4Dependent repositories: 7
Downloads: 2,058 total
Affected Version Ranges: < 9.1.0
Fixed in: 9.1.0
All affected versions: 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.99, 9.0.0, 9.0.1, 9.0.2
All unaffected versions: 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8