New Concrete CMS CVEs Published in conjunction with releases 9.3.4 and 8.5.19

New Concrete CMS CVEs Published in conjunction with releases 9.3.4 and 8.5.19

Sep 13, 2024
by lisan

The following CVEs affecting both version 9 below 9.3.4 and all other concrete versions below 8.5.19 have been sent to MITRE to publish:

Download
  • CVE-2024-8291 Stored XSS in Image Editor Background Color which we fixed by sanitizing the output of “Save Background Image Color” in the file thumbnail dashboard single page. The Concrete CMS Security Team gave this a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Prior to the fix a rogue admin could add malicious code to the Thumbnails/Add Type. Thanks Alexey Solovyev for reporting.
  • CVE-2024-7398 Stored XSS Vulnerability in the Calendar Event Addition Feature. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector VSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Prior to the fix, the calendar event name was not sanitized on output. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. Thank you Yusuke Uchida for reporting.
  • CVE-2024-8661 Stored XSS in the “Next&Previous Nav” block.  The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Prior to the fix, a rogue admin could add a malicious payload. Since the “Next&Previous Nav” block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks Chu Quoc Khanh for reporting.

The following CVE being published with these releases only affects versions 9.0.0 through 9.3.3 since Concrete CMS versions below 9 do not have the Top Navigation Bar Block.

  • CVE-2024-8660 Stored XSS in the “Top Navigator Bar” block. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Prior to the fix, a rogue admin could add a malicious payload. Since the “Top Navigator Bar” output was not sufficiently sanitized, the payload could be executed when targeted users visited the home page. Thanks Chu Quoc Khanh for reporting.

Thanks so much to all the community members who report vulnerabilities following the process outlined on https://www.concretecms.org/security and https://hackerone.com/concretecms?type=team so that they can be triaged and remediated by the Concrete Team!