Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04Njk5LWg0NWctN2htOM4AA0SM

Concrete CMS Cross-site Scripting vulnerability

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Permalink: https://github.com/advisories/GHSA-8699-h45g-7hm8
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04Njk5LWg0NWctN2htOM4AA0SM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 10 months ago
Updated: 9 months ago

CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-8699-h45g-7hm8, CVE-2022-43695
References:

Repository: https://github.com/concretecms/concretecms
Blast Radius: 4.1

Affected Packages

packagist:concrete5/concrete5

Dependent packages: 4
Dependent repositories: 7
Downloads: 2,058 total
Affected Version Ranges: >= 9.0.0, < 9.1.3, < 8.5.10
Fixed in: 9.1.3, 8.5.10
All affected versions: 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 9.1.1, 9.1.2
All unaffected versions: 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.99, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8