GHSA-w6j6-w6jx-vf2r

Опубликовано: 08 авг. 2024

Источник: github

Github: Прошло ревью

CVSS4: 4.6

CVSS3: 2

Описание

Concrete CMS Stored XSS in getAttributeSetName

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code.

Ссылки

Пакеты

Наименование

concrete5/concrete5

composer

Затронутые версииВерсия исправления

< 8.5.18

8.5.18

Наименование

concrete5/concrete5

composer

Затронутые версииВерсия исправления

>= 9.0.0, < 9.3.3

9.3.3

EPSS

Процентиль: 88%

0.03921

Низкий

4.6 Medium

CVSS4

2 Low

CVSS3

CVE ID

CVE-2024-7394

Дефекты

CWE-20

CWE-79

Связанные уязвимости

CVE-2024-7394

CVSS3: 4.8

nvd

больше 1 года назад

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, m3dium for reporting. (CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)

EPSS

Процентиль: 88%

0.03921

Низкий

4.6 Medium

CVSS4

2 Low

CVSS3

CVE ID

CVE-2024-7394

Дефекты

CWE-20

CWE-79