Security Advisory 2023-10-31 Concrete CMS rejects CVE-2023-44760 and CVE-2023-44766

Security Advisory 2023-10-31 Concrete CMS rejects CVE-2023-44760 and CVE-2023-44766


Oct 31, 2023
by lisan

If it is a valid vulnerability, the team can make sure there’s a fix available before the vulnerability is disclosed to the public. That makes the internet safer for all! If it is not a valid finding, the reporter can learn more about the system, the public is not alarmed unnecessarily, and everyone can save time.  

We are reaching out to MITRE to have CVE-2023-44760  and CVE-2023-44766 recalled. 

The Concrete CMS Header Tracking Code's sole functionality is to allow an admin to add javascript to all pages. Ditto for the Footer Tracking Code! Hence, using either to add javascript to a website is not a vulnerability but rather a core feature necessary for website functionality.  Much like a staircase is a potential safety threat that we all just have to live with, embedding JavaScript in a website is something that almost every website owner is going to need to do. Happily Concrete’s robust advanced permissions will let you control exactly who has access to these fields in the dashboard, adding as much safety as we can in this situation where you still need to get a job done. 

In addition, the cookie the reporter points to in his github repository in order to supposedly make his point for CVE-2023-44760 is not related to Concrete CMS at all; the session cookie used by Concrete CMS is HttpOnly and is not accessible via javascript.

We have opened an issue on the reporter’s github repository to advise the individual of our security program, and recommend responsible disclosure for any future findings.

Concrete CMS has a security program at https://hackerone.com/concretecms. We implore everyone to please use that method  to report suspected security issues! We are always open to having conversations with security researchers about Concrete CMS.

We have become aware that there are other Concrete CMS CVEs which were not initiated by the Concrete CMS Team. We will do a full audit and bring each through our Vulnerability Management Process. Stay tuned for a blog in the near future. 

The good news is that this has spurred us to jumpstart the process for the Concrete CMS Project to become a certificate naming authority (CNA) for CVEs for Concrete CMS.  This will help ensure that the Concrete CMS team can address vulnerabilities before they are disseminated to the public.