concrete5/concrete5 is vulnerable to cross-site scripting. The vulnerability exists in the old browsers with the XSS protection is disabled, allowing an attacker to inject and execute malicious javascript as the library does not properly escape malicious inputs by default.
documentation.concretecms.org/developers/introduction/version-history/858-release-notes
documentation.concretecms.org/developers/introduction/version-history/910-release-notes
github.com/advisories/GHSA-rhxj-fggw-55f3
github.com/concretecms/concretecms-core/commit/0c131cf73d77f894db3e9d16a8eb54b8e840fb0b
github.com/concretecms/concretecms-core/commit/5d82efbb8dc9457ca96668198ba262c1ac79ae51
github.com/concretecms/concretecms/commit/569e370e65f8941722ca2f30a0f946c00c1d0640
github.com/concretecms/concretecms/commit/a22cc20ef3ec83c9876a3d887dd43efb6f2ad0e6
github.com/concretecms/concretecms/pull/10547
hackerone.com/reports/1370054