CVE-2022-30118

24.06.2022, 15:15

Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.1 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
hackerone	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 69%

Vendor	Product	Version
concretecms	concrete_cms	𝑥 < 8.5.8
concretecms	concrete_cms	9.0.0 ≤ 𝑥 < 9.1.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes

https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes

https://hackerone.com/reports/1370054

https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes

https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes

https://hackerone.com/reports/1370054