You might notice that a number of Concrete CMS CVEs have higher CVSS 4.0 risk rankings assigned by the CNA (that’s us!) than the last time you looked at them. You aren’t hallucinating, we’ve made some adjustments, and some Concrete CVEs are now ranked as “medium” instead of “low” vulnerabilities. Guanqun Yang noticed that the Concrete team was inconsistent with our Attack Complexity (AC) CVSS 4.0 risk scoring; thanks for bringing it to our attention.
2025-01-20 Concrete Security Advisory - CVEs upgraded to “Medium”
Jan 21, 2025
by
For some CVEs, the team “double counted” administrative privileges and erroneously assigned a “high” AC score because only someone granted privileges could execute the attack. However, the CVSS 4.0 Specification documentation calls out in section 2.1.2 that “The evasion or satisfaction of authentication mechanisms or requisites is included in the Privileges Required assessment and is not …a factor of relevance for Attack Complexity”. Hence, we have adjusted AC to be "low" for the following CVEs which increased their CVSS v4.0 scores:
CVE-2024-4350 Stored XSS in RSS Displayer is now ranked 5.1
CVE-2024-8291 Stored XSS in Image Editor Background Color is now ranked 5.1
CVE-2024-7512 Stored XSS in Board instances is now ranked 4.6
CVE-2024-4353 Stored XSS in dashboard board instance functionality is now ranked 4.6
CVE-2024-7394 Stored XSS in getAttributeSetName() is now ranked 4.6
CVE-2024-7398 Stored XSS in the calendar event addition feature is now ranked 4.6