Cross-site Scripting (XSS)

2022-06-2705:27:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.001 Low

EPSS

Percentile

36.7%

JSON

concrete5/concrete5 is vulnerable to cross-site scripting. The vulnerability exists in the old browsers with the XSS protection is disabled, allowing an attacker to inject and execute malicious javascript as the library does not properly escape malicious inputs by default.

CPENameOperatorVersion
concrete5/concrete5le9.0.2
concrete5/concrete5le8.5.7
concrete5/corele9.0.2
concrete5/corele8.5.7
concrete5/concrete5le9.0.2
concrete5/concrete5le8.5.7
concrete5/corele9.0.2
concrete5/corele8.5.7

Name	Operator	Version
concrete5/concrete5	le	9.0.2
concrete5/concrete5	le	8.5.7
concrete5/core	le	9.0.2
concrete5/core	le	8.5.7
concrete5/concrete5	le	9.0.2
concrete5/concrete5	le	8.5.7
concrete5/core	le	9.0.2
concrete5/core	le	8.5.7

References

documentation.concretecms.org/developers/introduction/version-history/858-release-notes

documentation.concretecms.org/developers/introduction/version-history/910-release-notes

github.com/advisories/GHSA-rhxj-fggw-55f3

github.com/concretecms/concretecms-core/commit/0c131cf73d77f894db3e9d16a8eb54b8e840fb0b

github.com/concretecms/concretecms-core/commit/5d82efbb8dc9457ca96668198ba262c1ac79ae51

github.com/concretecms/concretecms/commit/569e370e65f8941722ca2f30a0f946c00c1d0640

github.com/concretecms/concretecms/commit/a22cc20ef3ec83c9876a3d887dd43efb6f2ad0e6

github.com/concretecms/concretecms/pull/10547

hackerone.com/reports/1370054

0.001 Low

EPSS

Percentile

36.7%

JSON

Related for VERACODE:36139