CVE-2024-3181: Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field.
First published: Wed Apr 03 2024(Updated: )
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting
Credit: ff5b8ace-8b95-4078-9743-eac1ca5451de ff5b8ace-8b95-4078-9743-eac1ca5451de
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/concrete5/concrete5 | <8.5.16 | 8.5.16 |
| composer/concrete5/concrete5 | >=9.0.0RC1<9.2.8 | 9.2.8 |
| Concrete5 | <8.5.16 | |
| Concrete5 | >=9.0.0<9.2.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.
- https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.
- https://nvd.nist.gov/vuln/detail/CVE-2024-3181
- https://github.com/concretecms/concretecms/commit/822e689cefe1eb876e9de31dad9ce660f3b5c295
- https://github.com/concretecms/concretecms/commit/e85ef2408a5eea7d5646178fbef0ab243baaed8f
- https://github.com/advisories/GHSA-qgm9-rxmq-jxmq (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-3181?
CVE-2024-3181 is classified as a medium severity Stored XSS vulnerability.
How do I fix CVE-2024-3181?
To resolve CVE-2024-3181, upgrade your Concrete CMS to version 9.2.8 or 8.5.16 or later.
Who is affected by CVE-2024-3181?
CVE-2024-3181 affects administrators using Concrete CMS versions prior to 9.2.8 and 8.5.16.
What is the impact of CVE-2024-3181?
The impact of CVE-2024-3181 allows an attacker to execute malicious scripts in the context of an affected user's session.
When was CVE-2024-3181 discovered?
CVE-2024-3181 was reported in early 2024 as a vulnerability in Concrete CMS.
- agent/title
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-qgm9-rxmq-jxmq
- alias/CVE-2024-3181
- agent/software-canonical-lookup
- agent/references
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/description
- agent/last-modified-date
- agent/severity
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- package-manager/composer
- vendor/concretecms
- canonical/concrete5
- version/concrete5/9.0.0