GHSA-x577-gcc9-9xjj

Source

https://github.com/advisories/GHSA-x577-gcc9-9xjj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-x577-gcc9-9xjj/GHSA-x577-gcc9-9xjj.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-x577-gcc9-9xjj

Aliases

CVE-2023-48650

Published

2024-02-29T03:33:14Z

Modified

2024-12-16T22:17:05.540916Z

Severity

4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Concrete CMS Stored XSS in Layout Preset Name

Details

Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name.

Database specific

{
    "github_reviewed_at": "2024-02-29T20:09:58Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2024-02-29T01:41:34Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.14

Affected versions

8.*

8.0

8.0.1

8.0.2

8.0.3

8.1.0

8.2.0RC2

8.2.0

8.2.1

8.3.0

8.3.1

8.3.2

8.4.0RC3

8.4.0RC4

8.4.0

8.4.1

8.4.2

8.4.3

8.4.4

8.4.5

8.5.0RC1

8.5.0RC2

8.5.0

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

8.5.6RC1

8.5.6

8.5.7

8.5.8

8.5.9

8.5.10

8.5.11

8.5.12

8.5.13

Packagist / concrete5/concrete5

Package

Name: concrete5/concrete5
Purl: pkg:composer/concrete5/concrete5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.0

Fixed

9.2.3

Affected versions

9.*

9.0.0

9.0.1

9.0.2

9.1.0

9.1.1

9.1.2

9.1.3

9.2.0RC2

9.2.0

9.2.1

9.2.2