GHSA-c5xf-rmv4-j85h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c5xf-rmv4-j85h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-c5xf-rmv4-j85h/GHSA-c5xf-rmv4-j85h.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-c5xf-rmv4-j85h
- Aliases
-
- CVE-2025-8573
- Published
- 2025-08-06T00:30:25Z
- Modified
- 2025-08-07T04:57:20.184911Z
- Severity
-
- 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page
- Details
-
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login.
- Database specific
{ "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2025-08-06T17:35:50Z", "nvd_published_at": "2025-08-05T23:15:39Z", "cwe_ids": [ "CWE-20", "CWE-79" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-8573
- https://github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6
- https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes
- https://github.com/concretecms/concretecms
- https://github.com/concretecms/concretecms/releases/tag/9.4.3
- https://www.concretecms.org/download
Affected packages
Packagist / concrete5/concrete5
Package
- Name
- concrete5/concrete5
- Purl
- pkg:composer/concrete5/concrete5