XML External Entity (XXE)

2022-11-1605:14:26

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

xml external entity

concrete cms

sanitizer.php

ip disclosure

0.002 Low

EPSS

Percentile

54.6%

JSON

Concrete CMS is vulnerable to XML external entity. The vulnerability exists in dataToXml function in Sanitizer.php, which allows an attacker to inject and execute malicious code into the system due to improper sanitization of SVGs, leading to IP disclosure.

CPENameOperatorVersion
concrete5/corele8.5.9
concrete5/corele9.1.2
concrete5/concrete5le8.5.9
concrete5/concrete5le9.1.2
concrete5/corele8.5.9
concrete5/corele9.1.2
concrete5/concrete5le8.5.9
concrete5/concrete5le9.1.2

Name	Operator	Version
concrete5/core	le	8.5.9
concrete5/core	le	9.1.2
concrete5/concrete5	le	8.5.9
concrete5/concrete5	le	9.1.2
concrete5/core	le	8.5.9
concrete5/core	le	9.1.2
concrete5/concrete5	le	8.5.9
concrete5/concrete5	le	9.1.2

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/concretecms/concretecms-core/commit/2d22e1e5c000669960b8637b2c516faf8bdff721

github.com/concretecms/concretecms-core/commit/448d397ee19a2e18f347531ed16454c5afd08ae5

github.com/concretecms/concretecms/commit/11d549e1aad20b906f8bbdf0c022584a01bb9a91

github.com/concretecms/concretecms/commit/37d3a6da32affae47e439dfe4f8f4c25929516e9

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

0.002 Low

EPSS

Percentile

54.6%

JSON

Related for VERACODE:38016