CVE-2023-28820 — Stored cross site scripting in RSS displayer

Description

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

How to fix CVE-2023-28820

To remediate CVE-2023-28820, upgrade the affected package to a fixed version below.

Packagist/concrete5/concrete5—upgrade to 9.1.0 or later

Is CVE-2023-28820 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 9.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.0	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-28820
PATCHgithub.com/concretecms/concretecms
WEBgithub.com/concretecms/concretecms/releases
WEBwww.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20