concrete5 is vulnerable to cross-site scripting (XSS) attacks. The library fails to sanitize user input to bulkupdate.php
and sitemap_drag_request.php
, allowing a malicious user to inject and execute arbitrary script.
CPE | Name | Operator | Version |
---|---|---|---|
concrete5/concrete5 | le | 5.7.2.1 |
morxploit.com/morxploits/morxconxss.txt
packetstormsecurity.com/files/129446/Concrete5-CMS-5.7.2-5.7.2.1-Cross-Site-Scripting.html
seclists.org/fulldisclosure/2014/Dec/38
www.securityfocus.com/archive/1/534189/100/0/threaded
exchange.xforce.ibmcloud.com/vulnerabilities/99264
www.concrete5.org/community/forums/5-7-discussion/5.7.x-cve-vulnerabilities-applies-to-5.6-also