CVE-2024-4350

EPSS 1.03%
Veröffentlicht 12.08.2024 13:38:36
Zuletzt bearbeitet 25.09.2025 19:15:41
Quelle ff5b8ace-8b95-4078-9743-eac1ca
CVE-Watchlists
Login
Unerledigt
Login

Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 5.1 with vector   https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks, m3dium for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Concretecms ≫ Concrete Cms Version < 8.5.18

Concretecms ≫ Concrete Cms Version >= 9.0.0 < 9.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.03%	0.77

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
ff5b8ace-8b95-4078-9743-eac1ca5451de	5.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041

Vendor Advisory

Release Notes

https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06

Patch

https://github.com/concretecms/concretecms/pull/12166

Patch

https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723060415d52041

Vendor Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2024-4350

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-4350

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-4350

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-4350