CVE-2022-30120

Опубликовано: 24 июн. 2022

Источник: nvd

CVSS3: 6.1

CVSS2: 4.3

EPSS Низкий

Описание

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. Credit to Credit to Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) for reporting

Ссылки

https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
Release Notes
Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes
Release Notes
Vendor Advisory
https://hackerone.com/reports/1363598
Permissions Required
Third Party Advisory
https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes
Release Notes
Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes
Release Notes
Vendor Advisory
https://hackerone.com/reports/1363598
Permissions Required
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Версия до 8.5.8 (исключая)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Версия от 9.0.0 (включая) до 9.1.0 (исключая)

EPSS

Процентиль: 80%

0.01338

Низкий

6.1 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-m2ww-6wv6-vw3c

CVSS3: 3.1

github

больше 3 лет назад

Cross site scripting in Concrete CMS