Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14OGgyLTI1NXEtamc0eM4AA_v1
Cross site scripting in Concrete CMS
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts.
Permalink: https://github.com/advisories/GHSA-x8h2-255q-jg4xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14OGgyLTI1NXEtamc0eM4AA_v1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 18 days ago
Updated: 13 days ago
CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-x8h2-255q-jg4x, CVE-2024-7398
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-7398
- https://github.com/concretecms/concretecms/pull/12183
- https://github.com/concretecms/concretecms/pull/12184
- https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5
- https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes
- https://github.com/advisories/GHSA-x8h2-255q-jg4x
Blast Radius: 4.6
Affected Packages
packagist:concrete5/concrete5
Dependent packages: 4Dependent repositories: 7
Downloads: 2,183 total
Affected Version Ranges: < 8.5.19, >= 9.0.0, < 9.3.4
Fixed in: 8.5.19, 9.3.4
All affected versions: 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.3.0, 9.3.1, 9.3.2, 9.3.3
All unaffected versions: 8.5.19, 8.5.99, 9.3.4, 9.3.5