CVE-2022-43556

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes	Release Notes Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes	Release Notes Vendor Advisory
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31	Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes	Release Notes Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes	Release Notes Vendor Advisory
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:concretecms:concrete_cms::::::::
	cpe:2.3:a:concretecms:concrete_cms::::::::

History

21 Nov 2024, 07:26

Type	Values Removed	Values Added
References	~~() https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes - Release Notes, Vendor Advisory~~	() https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes - Release Notes, Vendor Advisory
References	~~() https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes - Release Notes, Vendor Advisory~~	() https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes - Release Notes, Vendor Advisory
References	~~() https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 - Vendor Advisory~~	() https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 - Vendor Advisory
Summary		(es) Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a XSS en el campo de entrada de texto, ya que la salida de la página del panel de resultados no está desinfectada. El equipo de seguridad de Concrete CMS ha clasificado este 4.2 con el vector CVSS v3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Gracias @_akbar_jafarli_ por informes. Corríjalo actualizando a Concrete CMS 8.5.10 y Concrete CMS 9.1.3.

Information

Published : 2022-12-05 22:15

Updated : 2025-04-24 14:15

NVD link : CVE-2022-43556

Mitre link : CVE-2022-43556

CVE.ORG link : CVE-2022-43556

JSON object : View

Products Affected

concretecms

concrete_cms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10