2024-04-03 Concrete CMS New Cross Site Scripting CVEs

2024-04-03 Concrete CMS New Cross Site Scripting CVEs

Apr 3, 2024
by lisan

We will be publishing a number of CVEs today which were remediated with Concrete CMS versions 8.5.16 and 9.2.8. 

Download

These were fixed with commit 11988 for version 9 and commit 11989 for version 8. We really appreciate the community members who reported these vulnerabilities to the Concrete CMS HackerOne. All these vulnerabilities can only be exploited by a rogue administrator. 

Thanks Guram (javakhishvili) for reporting Cross-site Scripting (XSS) in the Advanced File Search Filter (CVE-2024-3178 ). Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. All administrators have access to the File Manager and hence could create a search filter with the malicious code attached. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L.  

Thanks Alexey Solovyev for reporting several Stored XSS which were all given a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L by the Concrete CMS Security team:

  • CVE-2024-3179 Stored XSS in the Custom Class page editing. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data
  • CVE-2024-3180 stored XSS in Blocks of type file. Prior to fix, stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file.
  • CVE-2024-3181 Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. 

Thanks Rikuto Tauchi for reporting stored XSS on the calendar color settings screen (CVE-2024-2753). Prior to the fix, a rogue administrator could put malicious javascript on the Concrete CMS color setting screen which could have been triggered by and affected users who accessed the color settings screen. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.0 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N