CVE-2024-1245 — Concrete CMS vulnerable to stored XSS in file tags and description attributes

Description

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator .

How to fix CVE-2024-1245

To remediate CVE-2024-1245, upgrade the affected package to a fixed version below.

—upgrade to 9.2.5 or later

Is CVE-2024-1245 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 9.0.0RC1, < 9.2.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-1245
PATCHgithub.com/concretecms/concretecms
WEBdocumentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes
WEBgithub.com/concretecms/concretecms/commit/59a07472ad6349a2c5fb455837a54ed1fe3f6953