Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security and https://hackerone.com/concretecms?type=team so that they can be triaged and remediated by the Concrete Team!
Concrete CMS Security Fixes with 9.3.3 and 8.5.18
Aug 8, 2024
by
Concrete now displays a more generic error message in RSS Displayer block if curl is unable to load posts. Thanks m3dium for recommending this!
Concrete v.9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a login request is using https by default. This is in line with industry best practice. If a site is served over http:// and the guest uses http:// to log in, the CONCRETE cookie will not have the Secure flag applied so that the site is usable. Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Since this is a configuration setting, we did not issue a CVE. Thanks Yusuke Uchida for reporting!
As part of our commitment to extend support to Concrete CMS version 8.5 through 2024, we backport security fixes into Concrete 8.5. As the Concrete CMC CVE Certificate Naming Authority (CNA), we have issued the following new Concrete CMS CVEs in conjunction with releases 9.3.3 and 8.5.18:
Affecting both version 9 and 8:
- CVE-2024-4350 Stored XSS in RSS Displayer Prior to the fix, a rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks m3dium for reporting.
- CVE-2024-7394 Stored XSS in getAttributeSetName(). Prior to the fix, a rogue administrator could inject malicious code. The Concrete CMS team ranked this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks m3dium for reporting.
The following CVEs do not affect Concrete CMS versions below version 9.
- CVE-2024-4353 Stored XSS in Generate Board Name Input Field. Prior to the fix, the name input field did not sufficiently validate input allowing a rogue administrator to inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N and a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.
- CVE-2024-7512 Stored XSS in Board instances. Prior to the fix a rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks m3dium for reporting.