GHSA-r7q4-cw9r-vhp4

Source

https://github.com/advisories/GHSA-r7q4-cw9r-vhp4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-r7q4-cw9r-vhp4/GHSA-r7q4-cw9r-vhp4.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-r7q4-cw9r-vhp4

Aliases

CVE-2024-3179

Published

2024-04-03T21:31:41Z

Modified

2024-04-10T19:26:41.495056Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L CVSS Calculator

Summary

Concrete CMS Stored XSS in the Custom Class page editing

Details

Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting.

Database specific

{
    "cwe_ids": [
        "CWE-20",
        "CWE-79"
    ],
    "github_reviewed_at": "2024-04-03T21:54:05Z",
    "github_reviewed": true,
    "nvd_published_at": "2024-04-03T19:15:44Z",
    "severity": "LOW"
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0RC1

Fixed

9.2.8

Affected versions

9.*

9.0.0RC1

9.0.0RC3

9.0.0RC4

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2

9.1.3

9.2.0RC2

9.2.0

9.2.1

9.2.2

9.2.3

9.2.4

9.2.5

9.2.6

9.2.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-r7q4-cw9r-vhp4/GHSA-r7q4-cw9r-vhp4.json"

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.16

Affected versions

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6RC1

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

8.5.14

8.5.15

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-r7q4-cw9r-vhp4/GHSA-r7q4-cw9r-vhp4.json"