CVE-2023-28820

Опубликовано: 28 апр. 2023

Источник: nvd

CVSS3: 2

CVSS3: 5.4

EPSS Низкий

Описание

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

Ссылки

https://github.com/concretecms/concretecms/releases
Release Notes
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20
Vendor Advisory
https://github.com/concretecms/concretecms/releases
Release Notes
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Версия до 9.1.0 (исключая)

EPSS

Процентиль: 58%

0.0036

Низкий

2 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-fgxj-g7x3-85cq

CVSS3: 2

github

почти 3 года назад

Stored cross site scripting in RSS displayer

EPSS

Процентиль: 58%

0.0036

Низкий

2 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79