Security

The Concrete CMS Team is publishing CVE-2024-2179 with the release of 9.2.7; Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. 


On February 7th, 2024, we received a bug report that the rich text editor in Concrete CMS 8 and 9 was displaying a strange and alarming warning:

https://github.com/concretecms/concretecms/issues/11931

This warning states "This CKEditor 4.22.1 (Standard) version is not secure. Consider upgrading to the latest one, 4.24.0-lts."

Naturally, this has prompted concern and confusion from our customers and members in our community, and I feel it's important to address it. Here's what I know about this, what caused it, what it's regarding specifically, our plans to address it and how we're planning to move forward.


We will be  publishing three CVEs for very low vulnerabilities that were reported and fixed in Concrete version 9.2.5. These vulnerabilities affected Concrete version 9 only. 


Concrete CMS has just been authorized by the CVE Program as a CVE Numbering Authority (CNA). Concrete CMS will be managing Concrete CMS CVEs created as of today going forward for supported versions of Concrete CMS.


Concrete CMS, like any software, is not immune to vulnerabilities. We are pleased to announce that we are sharing our tracker for the Disclosed Common Vulnerabilities and Exposures (CVEs) affecting supported versions of Concrete CMS. The information provided is based on the data available as of today, Dec 15, 2023. Our intention is to keep the list up to date with every Concrete CMS release.


We are excited to announce the release of Concrete version 9.2.3, as well as an update for Concrete CMS version 8.5, now at version 8.5.14. These releases come with a number of security updates, reinforcing our commitment to the security and reliability of Concrete CMS.


Actions to take to mitigate CVE-2023-37260 affecting a Concrete CMS dependency


There have been a number of medium and low security vulnerabilities that have been fixed in version 9.2.2. Also, as part of our commitment to extend support to Concrete CMS version 8.5 through 2024, we have backported a large number of security fixes into Concrete 8.5.13. We are also updating a number of published Concrete CVEs to clarify that they do not apply to version 8.5. [updated 21 Nov 2023 to provide CVE numbers]


If it is a valid vulnerability, the team can make sure there’s a fix available before the vulnerability is disclosed to the public. That makes the internet safer for all! If it is not a valid finding, the reporter can learn more about the system, the public is not alarmed unnecessarily, and everyone can save time.  


Concrete CMS is requesting that MITRE close CVE-2023-44763 which was submitted by a community member without the Concrete CMS Team knowledge.