CVE-2024-7398: Concrete CMS Stored XSS Vulnerability in Calendar Event Addition Feature
First published: Tue Sep 24 2024(Updated: )
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts.
Credit: ff5b8ace-8b95-4078-9743-eac1ca5451de ff5b8ace-8b95-4078-9743-eac1ca5451de
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/concrete5/concrete5 | <8.5.19 | 8.5.19 |
| composer/concrete5/concrete5 | >=9.0.0<9.3.4 | 9.3.4 |
| Concrete5 | <8.5.19 | |
| Concrete5 | >=9.0.0<9.3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5
- https://github.com/concretecms/concretecms/pull/12183
- https://github.com/concretecms/concretecms/pull/12184
- https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes
- https://nvd.nist.gov/vuln/detail/CVE-2024-7398
- https://github.com/advisories/GHSA-x8h2-255q-jg4x (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-7398?
CVE-2024-7398 is classified as a stored XSS vulnerability affecting several versions of Concrete CMS.
How do I fix CVE-2024-7398?
To mitigate CVE-2024-7398, upgrade Concrete CMS to version 8.5.19 or 9.3.4 or later.
Which versions of Concrete CMS are affected by CVE-2024-7398?
CVE-2024-7398 affects Concrete CMS versions 9.0.0 through 9.3.3 and versions below 8.5.19.
Who is at risk from CVE-2024-7398?
Users or groups with permission to create event calendars are at risk from CVE-2024-7398.
What type of vulnerability is CVE-2024-7398?
CVE-2024-7398 is a stored Cross-Site Scripting (XSS) vulnerability.
- agent/weakness
- agent/title
- agent/first-publish-date
- agent/type
- agent/references
- agent/author
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/remedy
- agent/event
- agent/trending
- agent/source
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-x8h2-255q-jg4x
- alias/CVE-2024-7398
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/description
- collector/github-advisory
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/composer
- vendor/concretecms
- canonical/concrete5
- version/concrete5/9.0.0