CVE-2024-7398 Information

Sep 26, 2024 cve

Description

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N https://www.first.org/cvss/calculator/4.0CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N . Thank you Yusuke Uchida for reporting.

Reference

https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 https://github.com/concretecms/concretecms/pull/12183 https://github.com/concretecms/concretecms/pull/12184 https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes

Share on: