Cross-site Scripting (XSS)

Concrete5 is vulnerable to cross-site scripting (XSS) attacks. A malicious user can inject and execute arbitrary web script because the library does not sanitize it’s parameters before rendering them for display. The following fields are affected: * banned_word[] in index.php/dashboard/system/conversations/bannedwords/success * channel in index.php/dashboard/reports/logs/view * accessType in index.php/tools/required/permissions/access_entity * msCountry in index.php/dashboard/system/multilingual/setup/load_icon * arHandle in design/submit * design in index.php/ccm/system/dialogs/area/design/submit * pageURL in index.php/dashboard/pages/single * SEARCH_INDEX_AREA_METHOD in index.php/dashboard/system/seo/searchindex/updated * unit in index.php/dashboard/system/optimization/jobs/job_scheduled * register_notification_email in index.php/dashboard/system/registration/open/1 * PATH_INFO in index.php/dashboard/extend/connect/