CVE-2022-30119: XSS
First published: Fri Jun 24 2022(Updated: )
XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Concretecms Concrete Cms | <8.5.8 | |
| Concretecms Concrete Cms | >=9.0.0<9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this vulnerability?
The vulnerability ID is CVE-2022-30119.
What is the severity of CVE-2022-30119?
CVE-2022-30119 has a severity rating of 6.1 (medium).
Which software versions are affected by CVE-2022-30119?
Concrete CMS versions 8.5.7 and below, as well as versions 9.0.0 through 9.0.2 are affected by CVE-2022-30119.
How can CVE-2022-30119 be exploited?
CVE-2022-30119 can be exploited in old browsers, specifically Internet Explorer, with XSS protection disabled, by exploiting insufficient sanitation of built URLs in the /dashboard/reports/logs/view endpoint.
Are modern-day browsers vulnerable to CVE-2022-30119?
No, modern-day browsers are not vulnerable to CVE-2022-30119.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/weakness
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/description
- agent/tags
- agent/event
- vendor/concretecms
- canonical/concretecms concrete cms
- version/concretecms concrete cms/9.0.0