First published: Mon Nov 14 2022(Updated: )
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
composer/concrete5/concrete5 | >=9.0.0<9.1.3 | 9.1.3 |
composer/concrete5/concrete5 | <8.5.10 | 8.5.10 |
Concretecms Concrete Cms | <8.5.10 | |
Concretecms Concrete Cms | >=9.0.0<=9.1.2 | |
<8.5.10 | ||
>=9.0.0<=9.1.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-43695 is a vulnerability in Concrete CMS (formerly concrete5) versions below 8.5.10 and between 9.0.0 and 9.1.2 that allows for Stored Cross-Site Scripting (XSS).
CVE-2022-43695 has a severity rating of 4.8, which is considered medium.
Concrete CMS versions below 8.5.10 and between 9.0.0 and 9.1.2 are affected by CVE-2022-43695.
To fix CVE-2022-43695, update Concrete CMS to version 8.5.10 or higher if you are using version 8, and update to version 9.1.3 or higher if you are using version 9.
You can find more information about CVE-2022-43695 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-43695) and [Concrete CMS documentation](https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes) (for version 8.5.10) and [Concrete CMS documentation](https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes) (for version 9.1.3).