CVE-2023-28820: XSS
First published: Fri Apr 28 2023(Updated: )
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Concretecms Concrete Cms | <9.1.0 | |
| composer/concrete5/concrete5 | <9.1.0 | 9.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability identifier for this vulnerability?
The vulnerability identifier for this vulnerability is CVE-2023-28820.
What is the severity of CVE-2023-28820?
The severity of CVE-2023-28820 is medium.
Which software versions are affected by CVE-2023-28820?
Concrete CMS (previously concrete5) before version 9.1.0 is affected by CVE-2023-28820.
What is the type of vulnerability for CVE-2023-28820?
CVE-2023-28820 is a stored XSS (Cross-Site Scripting) vulnerability.
How can I fix CVE-2023-28820?
To fix CVE-2023-28820, update Concrete CMS to version 9.1.0 or newer.
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-fgxj-g7x3-85cq
- alias/CVE-2023-28820
- collector/nvd-cve
- collector/github-advisory
- agent/weakness
- agent/tags
- agent/event
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- vendor/concretecms
- canonical/concretecms concrete cms
- package-manager/composer