Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
References
Link | Resource |
---|---|
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes | Release Notes Vendor Advisory |
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes | Release Notes Vendor Advisory |
https://github.com/concretecms/concretecms/releases/8.5.10 | Release Notes Vendor Advisory |
https://github.com/concretecms/concretecms/releases/9.1.3 | Release Notes Vendor Advisory |
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-11-14T00:00:00
Updated: 2022-11-14T00:00:00
Reserved: 2022-10-24T00:00:00
Link: CVE-2022-43695
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-11-14T23:15:12.863
Modified: 2023-08-08T14:22:24.967
Link: CVE-2022-43695
JSON object: View
Redhat Information
No data.
CWE