CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-8291: Concrete CMS Stored XSS in Image Editor Background Color

5.1 CVSS

Description

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, Alexey Solovyev for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC).

Classification

CVE ID: CVE-2024-8291

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.1

Affected Products

Vendor: Concrete CMS

Product: Concrete CMS

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 23.57% (scored less or equal to compared to others)

EPSS Date: 2025-02-15 (when was this score calculated)

References

https://github.com/concretecms/concretecms/pull/12183
https://github.com/concretecms/concretecms/commit/dbce253166f6b10ff3e0c09e50fd395370b8b065
https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes
https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes

Timeline

2025-01-18 00:30:39 UTC
CVE

Concrete CMS Stored XSS in Image Editor Background Color