Stored XSS Vulnerability in Concrete CMS by Concrete Solutions
CVE-2025-0660

4.8MEDIUM

Key Information:

Vendor

Concrete Cms

Status
Concrete Cms
Vendor
CVE Published:
10 March 2025

What is CVE-2025-0660?

Concrete CMS, specifically versions 9.0.0 through 9.3.9, is susceptible to a stored XSS vulnerability in the 'Add Folder' feature. This occurs due to inadequate input sanitization, which permits a rogue administrator to inject malicious XSS payloads as folder names. As a result, unauthorized scripts could be executed in the browser of users who access these manipulated folder names, posing significant security threats.

Affected Version(s)

Concrete CMS 9.0.0 < 9.4.0

References

https://documentation.concretecms.org/9-x/developers/intr...
release-notes
https://github.com/concretecms/concretecms/pull/12454
patch
https://github.com/concretecms/bedrock/pull/370
patch

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Alfin Joseph
.