CVE-2024-1247

Concrete CMS version 9 before 9.2.5 is vulnerable tostored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field.A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector  AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
ConcreteCMSCNA
2 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 90%
VendorProductVersion
concretecmsconcrete_cms
9.0.0 ≤
𝑥
< 9.2.5
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes
https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes
https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory