CVE-2021-3111 - OpenCVE

The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Concretecms	Concrete Cms

Configuration 1 [-]

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/161600/Concrete5-8.5.4-Cross-Site-Scripting.html	Exploit Third Party Advisory VDB Entry
http://packetstormsecurity.com/files/161997/Concrete5-8.5.4-Cross-Site-Scripting.html	Third Party Advisory VDB Entry
https://documentation.concrete5.org/developers/introduction/version-history	Release Notes Vendor Advisory
https://documentation.concrete5.org/developers/introduction/version-history/855-release-notes	Release Notes Vendor Advisory
https://github.com/Quadron-Research-Lab/CVE/blob/main/CVE-2021-3111.pdf	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-01-08T14:18:31

Updated: 2021-03-29T16:06:25

Reserved: 2021-01-07T00:00:00

Link: CVE-2021-3111

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-08T15:15:12.953

Modified: 2021-07-22T13:07:42.927

Link: CVE-2021-3111

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-03-29T16:06:25", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://documentation.concrete5.org/developers/introduction/version-history"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Quadron-Research-Lab/CVE/blob/main/CVE-2021-3111.pdf"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/161600/Concrete5-8.5.4-Cross-Site-Scripting.html"}, {"tags": ["x_refsource_MISC"], "url": "https://documentation.concrete5.org/developers/introduction/version-history/855-release-notes"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/161997/Concrete5-8.5.4-Cross-Site-Scripting.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-3111", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://documentation.concrete5.org/developers/introduction/version-history", "refsource": "MISC", "url": "https://documentation.concrete5.org/developers/introduction/version-history"}, {"name": "https://github.com/Quadron-Research-Lab/CVE/blob/main/CVE-2021-3111.pdf", "refsource": "MISC", "url": "https://github.com/Quadron-Research-Lab/CVE/blob/main/CVE-2021-3111.pdf"}, {"name": "http://packetstormsecurity.com/files/161600/Concrete5-8.5.4-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/161600/Concrete5-8.5.4-Cross-Site-Scripting.html"}, {"name": "https://documentation.concrete5.org/developers/introduction/version-history/855-release-notes", "refsource": "MISC", "url": "https://documentation.concrete5.org/developers/introduction/version-history/855-release-notes"}, {"name": "http://packetstormsecurity.com/files/161997/Concrete5-8.5.4-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/161997/Concrete5-8.5.4-Cross-Site-Scripting.html"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-3111", "datePublished": "2021-01-08T14:18:31", "dateReserved": "2021-01-07T00:00:00", "dateUpdated": "2021-03-29T16:06:25", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1F0AC3F-2B3D-474D-89AE-E36D5307AD12", "versionEndExcluding": "8.5.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI."}, {"lang": "es", "value": "El Express Entries Dashboard en Concrete versi\u00f3n 5 8.5.4, permite almacenar una vulnerabilidad de tipo XSS por medio del campo name de un nuevo objeto de datos en un URI index.php/dashboard/express/entries/view/"}], "id": "CVE-2021-3111", "lastModified": "2021-07-22T13:07:42.927", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-01-08T15:15:12.953", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161600/Concrete5-8.5.4-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161997/Concrete5-8.5.4-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.concrete5.org/developers/introduction/version-history"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.concrete5.org/developers/introduction/version-history/855-release-notes"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/Quadron-Research-Lab/CVE/blob/main/CVE-2021-3111.pdf"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}