concrete5/concrete5 is vulnerable to cross-site scripting. The vulnerability exists due to the insufficient sanitization in the input urls, allowing an attacker to inject and execute malicious javascript when using an older browser with built-in XSS protection is disabled.
documentation.concretecms.org/developers/introduction/version-history/858-release-notes
documentation.concretecms.org/developers/introduction/version-history/910-release-notes
github.com/concretecms/concretecms-core/commit/0c131cf73d77f894db3e9d16a8eb54b8e840fb0b
github.com/concretecms/concretecms-core/commit/5d82efbb8dc9457ca96668198ba262c1ac79ae51
github.com/concretecms/concretecms/commit/569e370e65f8941722ca2f30a0f946c00c1d0640
github.com/concretecms/concretecms/commit/a22cc20ef3ec83c9876a3d887dd43efb6f2ad0e6
github.com/concretecms/concretecms/pull/10547
hackerone.com/reports/1363598