Stored XSS Vulnerability in Image Editor Background Color Affects Concrete CMS Versions 9.0.0 to 9.3.3 and Below 8.5.19
CVE-2024-8291

5.1MEDIUM

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 25 September 2024

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2024-8291?

Concrete CMS is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability within the Image Editor's background color functionality. This issue allows an unauthorized individual with administrator privileges to insert harmful scripts into the Thumbnails/Add-Type section. When exploited, this vulnerability could lead to significant security implications, including the potential for data exposure or system compromise, making it essential for users to upgrade to the latest versions and apply necessary patches immediately. Affected versions include 9.0.0 to 9.3.3 and versions prior to 8.5.19. For more details on the reported issues and solutions, refer to the official documentation and commits.

Affected Version(s)

Concrete CMS 9.0.0 < 9.3.4

Concrete CMS 5.0.0 < 8.5.19

References

https://github.com/concretecms/concretecms/pull/12183

https://github.com/concretecms/concretecms/commit/dbce253...

https://documentation.concretecms.org/developers/introduc...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 25, 2024

Credit

Alexey Solovyev

CVE-2024-8291 Data

JSON