CVE-2024-1246: Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature

First published: Fri Feb 09 2024(Updated: )

Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . This does not affect Concrete versions prior to version 9.

Credit: ff5b8ace-8b95-4078-9743-eac1ca5451de ff5b8ace-8b95-4078-9743-eac1ca5451de

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/title
• agent/type
• agent/first-publish-date
• agent/description
• agent/author
• collector/mitre-cve
• source/MITRE
• agent/references
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup
• agent/severity
• agent/softwarecombine
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-9v3w-cj7m-qh5g
• alias/CVE-2024-1246
• agent/last-modified-date
• collector/nvd-cve
• agent/event
• collector/github-advisory
• collector/epss-latest
• source/FIRST
• agent/tags
• agent/epss
• vendor/concretecms
• canonical/concretecms concrete cms
• version/concretecms concrete cms/9.0.0
• package-manager/composer