CVE-2022-30118: XSS
First published: Fri Jun 24 2022(Updated: )
Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Concretecms Concrete Cms | <8.5.8 | |
| Concretecms Concrete Cms | >=9.0.0<9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-30118?
CVE-2022-30118 is a vulnerability that allows for cross-site scripting (XSS) attacks in the Concrete CMS dashboard when using old versions of Internet Explorer with XSS protection disabled.
How does CVE-2022-30118 affect Concrete CMS?
CVE-2022-30118 affects Concrete CMS versions 8.5.7 and below, as well as versions 9.0 through 9.0.2.
What is the severity of CVE-2022-30118?
The severity of CVE-2022-30118 is classified as medium, with a severity value of 6.1.
How can I fix CVE-2022-30118?
To fix CVE-2022-30118, it is recommended to update Concrete CMS to version 8.5.8 or higher for versions 8.x, and to version 9.1.0 or higher for versions 9.x.
Where can I find more information about CVE-2022-30118?
You can find more information about CVE-2022-30118 in the release notes for Concrete CMS versions 8.5.8 and 9.1.0, as well as in the HackerOne report linked in the references.
- collector/nvd-index
- vendor/concretecms
- canonical/concretecms concrete cms
- version/concretecms concrete cms/9.0.0