CVE-2023-44766

Опубликовано: 06 окт. 2023

Источник: nvd

CVSS3: 4.8

EPSS Низкий

Описание

A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature.

Ссылки

https://github.com/sromanhu/ConcreteCMS-Stored-XSS---SEO
Exploit
https://www.concretecms.org/about/project-news/security/security-advisory-2023-10-31-concrete-cms-rejects-cve-2023-44760-and-cve-2023-44766
Third Party Advisory
https://github.com/sromanhu/ConcreteCMS-Stored-XSS---SEO
Exploit
https://www.concretecms.org/about/project-news/security/security-advisory-2023-10-31-concrete-cms-rejects-cve-2023-44760-and-cve-2023-44766
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:concretecms:concrete_cms:9.2.1:*:*:*:*:*:*:*

EPSS

Процентиль: 39%

0.00172

Низкий

4.8 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-437p-jfm4-2387

CVSS3: 5.4

github

больше 2 лет назад

ConcreteCMS Cross-site Scripting vulnerability