Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tMnd3LTZ3djYtdnczY84AAs-f
Cross site scripting in Concrete CMS
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output.
Permalink: https://github.com/advisories/GHSA-m2ww-6wv6-vw3cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tMnd3LTZ3djYtdnczY84AAs-f
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Identifiers: GHSA-m2ww-6wv6-vw3c, CVE-2022-30120
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-30120
- https://hackerone.com/reports/1363598
- https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes
- https://github.com/advisories/GHSA-m2ww-6wv6-vw3c
Affected Packages
packagist:concrete5/core
Dependent packages: 33Dependent repositories: 56
Downloads: 114,120 total
Affected Version Ranges: < 8.5.8, >= 9.0.0, < 9.1.0
Fixed in: 8.5.8, 9.1.0
All affected versions: 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 9.0.0, 9.0.1, 9.0.2
All unaffected versions: 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7, 9.2.8