CVE-2023-28820

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-28820

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28820.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-28820

Aliases

GHSA-fgxj-g7x3-85cq

Published

2023-04-28T14:15:10.703Z

Modified

2026-04-12T08:15:28.292750Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

References

Affected packages

Git / github.com/concretecms/concretecms

Affected ranges

Type

GIT

Repo

https://github.com/concretecms/concretecms

Events

Introduced

Fixed

f1a0eb94bc70d74c58ec8746a7a940cf8257bf22

Database specific

{
    "cpe": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.1.0"
        }
    ]
}

Affected versions

5.*

5.7.0

5.7.0.1

5.7.0.3

5.7.0.4

5.7.1

5.7.2

5.7.2.1

5.7.3

5.7.3.1

5.7.4.1

5.7.5.2

5.7.5.5

5.7.5.6

5.7.5.7

8.*

8.1.0

8.2.0

8.2.0RC2

8.2.1

8.3.1

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

9.*

9.0.0

9.0.1

9.0.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-28820.json"