CVE-2024-1247: Concrete CMS version 9 before 9.2.5 vulnerable to stored XSS via the Role Name field

First published: Fri Feb 09 2024(Updated: )

Concrete CMS version 9 before 9.2.5 is vulnerable to  stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.

Credit: ff5b8ace-8b95-4078-9743-eac1ca5451de ff5b8ace-8b95-4078-9743-eac1ca5451de

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/weakness
• agent/first-publish-date
• agent/type
• agent/references
• agent/author
• collector/mitre-cve
• source/MITRE
• agent/title
• agent/description
• collector/nvd-api
• source/NVD
• agent/software-canonical-lookup
• agent/severity
• agent/softwarecombine
• collector/github-advisory-latest
• source/GitHub
• alias/GHSA-q25h-jch8-gfrp
• alias/CVE-2024-1247
• agent/last-modified-date
• collector/nvd-cve
• agent/event
• collector/github-advisory
• collector/epss-latest
• source/FIRST
• agent/tags
• agent/epss
• vendor/concretecms
• canonical/concretecms concrete cms
• version/concretecms concrete cms/9.0.0
• package-manager/composer