Vulnerability Details CVE-2024-8660
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a
stored XSS vulnerability in the "Top Navigator Bar" block.
Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6
with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This
does not affect versions below 9.0.0 since they do not have the Top
Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 13.6%
CVSS Severity
CVSS v3 Score 4.8
References
Products affected by CVE-2024-8660
-
cpe:2.3:a:concretecms:concrete_cms:9.0.0
-
cpe:2.3:a:concretecms:concrete_cms:9.0.1
-
cpe:2.3:a:concretecms:concrete_cms:9.0.2
-
cpe:2.3:a:concretecms:concrete_cms:9.1.0
-
cpe:2.3:a:concretecms:concrete_cms:9.1.1
-
cpe:2.3:a:concretecms:concrete_cms:9.1.2
-
cpe:2.3:a:concretecms:concrete_cms:9.1.3
-
cpe:2.3:a:concretecms:concrete_cms:9.2.1
-
cpe:2.3:a:concretecms:concrete_cms:9.2.2
-
cpe:2.3:a:concretecms:concrete_cms:9.2.3
-
cpe:2.3:a:concretecms:concrete_cms:9.2.5
-
cpe:2.3:a:concretecms:concrete_cms:9.2.6
-
cpe:2.3:a:concretecms:concrete_cms:9.2.7
-
cpe:2.3:a:concretecms:concrete_cms:9.2.8
-
cpe:2.3:a:concretecms:concrete_cms:9.2.9
-
cpe:2.3:a:concretecms:concrete_cms:9.3.0
-
cpe:2.3:a:concretecms:concrete_cms:9.3.1
-
cpe:2.3:a:concretecms:concrete_cms:9.3.2
-
cpe:2.3:a:concretecms:concrete_cms:9.3.3