3 New Very Low Concrete CMS CVEs 2024-02-04 Security Advisory

• CVE-2024-1245 Stored XSS in file tags and description attribute since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page in version 9 before 9.2.5. A rogue administrator could put malicious code into the file tags or description attribute and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N. Thanks Poto Gabor for reporting! 
• CVE-2024-1246 Reflected XSS in Image URL Import Feature due to insufficient validation of administrator provided data in version 9 before 9.2.5. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. Thanks cupc4k3 for reporting.
• CVE-2024-1247 Stored XSS in “Role Name” field since there is insufficient validation of administrator provided data in version 9 before 9.2.5. A rogue administrator could inject malicious code into the "Role Name" field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks cupc4k3 for reporting.

Thanks again to all community members who report vulnerabilities through Concrete CMS Security and HackerOne!