GSA_kwCzR0hTQS1wajQyLXI2NGYtNHhmcc4AA6ng

Low EPSS: 0.00181% (0.40409 Percentile) EPSS:

Permalink JSON

Concrete CMS Stored XSS on the calendar color settings screen

Affected Packages	Affected Versions	Fixed Versions
packagist:concrete5/concrete5	< 8.5.16, >= 9.0.0RC1, < 9.2.8	8.5.16, 9.2.8
4 Dependent packages 7 Dependent repositories 2,271 Downloads total Affected Version Ranges All affected versions 8.0.1, 8.0.2, 8.0.3, 8.1.0, 8.2.0, 8.2.1, 8.3.0, 8.3.1, 8.3.2, 8.4.0, 8.4.1, 8.4.2, 8.4.3, 8.4.4, 8.4.5, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 9.0.0, 9.0.0-RC1, 9.0.0-RC3, 9.0.0-RC4, 9.0.1, 9.0.2, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.2.7 All unaffected versions 8.5.16, 8.5.17, 8.5.18, 8.5.19, 8.5.20, 8.5.99, 9.2.8, 9.2.9, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.3.7, 9.3.8, 9.3.9, 9.4.0, 9.4.1

Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without escaping. A rogue administrator could inject malicious javascript into the Calendar Color Settings screen which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N&version=3.1 https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Thank you Rikuto Tauchi for reporting

References:

Identifiers

GHSA-pj42-r64f-4xfq

CVE-2024-2753

Risk

Severity

Low

EPSS

EPSS Percentage: 0.00181

EPSS Percentile: 0.40409

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/concretecms/concretecms

Date and time

Published

over 1 year ago

Updated

over 1 year ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories