Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14OGgyLTI1NXEtamc0eM4AA_v1

Cross site scripting in Concrete CMS

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts.

Permalink: https://github.com/advisories/GHSA-x8h2-255q-jg4x
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14OGgyLTI1NXEtamc0eM4AA_v1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 27 days ago
Updated: 21 days ago

CVSS Score: 5.4
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Identifiers: GHSA-x8h2-255q-jg4x, CVE-2024-7398
References:

Repository: https://github.com/concretecms/concretecms
Blast Radius: 4.6

Affected Packages

packagist:concrete5/concrete5

Dependent packages: 4
Dependent repositories: 7
Downloads: 2,183 total
Affected Version Ranges: < 8.5.19, >= 9.0.0, < 9.3.4
Fixed in: 8.5.19, 9.3.4
All affected versions: 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.3.0, 9.3.1, 9.3.2, 9.3.3
All unaffected versions: 8.5.19, 8.5.99, 9.3.4, 9.3.5