First published: Fri Nov 17 2023(Updated: )
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.
Affected Software | Affected Version | How to fix |
---|---|---|
composer/concrete5/concrete5 | >=9.0.0<9.2.2 | 9.2.2 |
composer/concrete5/concrete5 | <8.5.13 | 8.5.13 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is GHSA-36fr-3wg8-q5v8.
The title of this vulnerability is 'Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.'
The severity rating of this vulnerability is low.
This vulnerability can be exploited by uploading a malicious file name on the Admin page of Concrete CMS.
To fix this vulnerability, update Concrete CMS to version 8.5.13 or 9.2.2.