Security Fixes in Concrete 8.5.21 and CMS 9.4.3

We created CVE-2025-8571 thanks to a recent engagement with Fortbridge. Adrian and Bogdan from Fortbridge recently completed a thorough three-week penetration test and vulnerability assessment of Concrete CMS. Their detailed testing helped uncover this issue, which our team addressed immediately in the latest releases.

A reflected XSS vulnerability was discovered in the Conversation Messages dashboard page. The issue was mitigated by improving sanitization in the Url::setVariable method in both Concrete CMS 9.4.3 and 8.5.21.

CVSS v4.0 Score: 4.8

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Impact: Unsanitized input could allow an attacker to steal session cookies or tokens, deface web content, redirect users to malicious websites, or even perform unauthorized actions if the victim was an admin.

Thanks again to the Fortbridge team for identifying this vulnerability.

✅ CVE-2025-8573 – Stored XSS from Home Folder on Members Dashboard Page

Included in this release, our team also remediated a low finding reported via HackerOne. This stored XSS vulnerability was reported by sealldev (Noah Cooper) via HackerOne #3145536. This issue only affected version 9 — version 8 was not vulnerable.

CVSS v4.0 Score: 2.0

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Impact: A rogue admin could create a malicious folder that executes XSS when users are directed to it after login.

✅ Rich Text Editor HTML Escaping Behavior Fixed

Many thanks to Concrete CMS’ frequent contributor, MLocati, who discovered and resolved an issue affecting the rich text editor. Previously, pasting HTML into the content pane and saving would incorrectly escape the HTML on the first save. Re-saving would then store the correct HTML. This behavior has now been fixed.