Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tMnd3LTZ3djYtdnczY84AAs-f

Cross site scripting in Concrete CMS

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output.

Permalink: https://github.com/advisories/GHSA-m2ww-6wv6-vw3c
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMnd3LTZ3djYtdnczY84AAs-f
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago

CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

EPSS Percentage: 0.00071
EPSS Percentile: 0.32917

Identifiers: GHSA-m2ww-6wv6-vw3c, CVE-2022-30120
References:

Blast Radius: 5.4

Affected Packages

packagist:concrete5/core

Dependent packages: 37
Dependent repositories: 56
Downloads: 133,157 total
Affected Version Ranges: < 8.5.8, >= 9.0.0, < 9.1.0
Fixed in: 8.5.8, 9.1.0
All affected versions: 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 9.0.0, 9.0.1, 9.0.2
All unaffected versions: 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 8.5.19, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8, 9.2.9, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9