CVE-2024-8291

EPSS 0.34%
Veröffentlicht 25.09.2024 01:15:46
Zuletzt bearbeitet 17.01.2025 22:15:29
Quelle ff5b8ace-8b95-4078-9743-eac1ca
CVE-Watchlists
Login
Unerledigt
Login

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color.  A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector   https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks,  Alexey Solovyev for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Concretecms ≫ Concrete Cms Version >= 9.0.0 < 9.3.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.562

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.8	1.7	2.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
ff5b8ace-8b95-4078-9743-eac1ca5451de	5.1	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes

Release Notes

https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes

Release Notes

https://github.com/concretecms/concretecms/pull/12183

Patch

https://github.com/concretecms/concretecms/commit/dbce253166f6b10ff3e0c09e50fd395370b8b065

Patch

https://nvd.nist.gov/vuln/detail/CVE-2024-8291

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-8291

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-8291

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-8291