CVE-2023-44763

2023-10-1012:15:09

CWE-434

[email protected]

web.nvd.nist.gov

cve-2023-44763

concrete cms

v9.2.1

arbitrary file upload

thumbnail file upload

cross-site scripting

xss

nvd

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

20.0%

JSON

Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor’s position is that a customer is supposed to know that “pdf” should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.

Affected configurations

NVD

Node

concretecmsconcrete_cmsMatch9.2.1

CPENameOperatorVersion
concretecms:concrete_cmsconcretecms concrete cmseq9.2.1

CPE	Name	Operator	Version
concretecms:concrete_cms	concretecms concrete cms	eq	9.2.1

References

github.com/sromanhu/ConcreteCMS-Arbitrary-file-upload-Thumbnail

web.archive.org/web/20231026034159/https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/allowed-file-types

www.concretecms.org/about/project-news/security/security-advisory-2023-10-25-concrete-cms-rejects-cve-2023-44763