4.8
CVE-2024-3181
- EPSS 0.1%
- Veröffentlicht 03.04.2024 20:15:07
- Zuletzt bearbeitet 16.12.2024 19:07:04
- Quelle ff5b8ace-8b95-4078-9743-eac1ca
- CVE-Watchlists
- Unerledigt
LoginConcrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Concretecms ≫ Concrete Cms Version < 8.5.16
Concretecms ≫ Concrete Cms Version >= 9.0.0 < 9.2.8
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.284 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.8 | 1.7 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
|
| ff5b8ace-8b95-4078-9743-eac1ca5451de | 3.1 | 0.5 | 2.5 |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.