4.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
50.6%
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
CPE | Name | Operator | Version |
---|---|---|---|
concrete5/concrete5 | lt | 9.1.3 | |
concrete5/concrete5 | lt | 8.5.10 |
documentation.concretecms.org/developers/introduction/version-history/8510-release-notes
documentation.concretecms.org/developers/introduction/version-history/913-release-notes
github.com/advisories/GHSA-9jc5-9wh5-mc36
github.com/concretecms/concretecms/commit/51f19b377a19c97a8b8f1d4d0f13724ed1c7c7a7
github.com/concretecms/concretecms/commit/6d46ca042fcfeda0f7881d8744f5216ef1abce0e
github.com/concretecms/concretecms/pull/10999
github.com/concretecms/concretecms/releases/8.5.10
github.com/concretecms/concretecms/releases/9.1.3
nvd.nist.gov/vuln/detail/CVE-2022-43688
www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31