Reflected Cross-Site Scripting Vulnerability in Concrete CMS by Concrete5
CVE-2025-8571

4.8MEDIUM

Key Information:

Vendor: Concrete Cms
Status: Concrete Cms
Vendor: CVE Published:; 5 August 2025

🔔 Create Concrete Cms Vulnerability Alert

What is CVE-2025-8571?

Concrete CMS versions 9 through 9.4.2, and versions earlier than 8.5.21, are prone to a Reflected Cross-Site Scripting (XSS) vulnerability in the Conversation Messages Dashboard Page. This flaw arises from unsanitized input, potentially allowing attackers to steal session cookies or tokens, deface web content, redirect users to malicious sites, and if triggered by an admin, execute unauthorized actions. This vulnerability highlights the importance of web application security and the need for prompt updates.

Affected Version(s)

Concrete CMS 9.0.0 < 9.4.3

Concrete CMS 5.6 < 8.5.21

References

https://documentation.concretecms.org/developers/introduc...

https://documentation.concretecms.org/9-x/developers/intr...

https://www.concretecms.org/download

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 5, 2025
Vulnerability Reserved
Aug 4, 2025

Credit

Fortbridge

CVE-2025-8571 Data

JSON