CVE-2024-7398

CVSS V2 None CVSS V3 None

Description

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N . Thank you, Yusuke Uchida for reporting.

Overview

CVE ID
CVE-2024-7398

Assigner
ConcreteCMS

Vulnerability Status
PUBLISHED

Published Version
2024-09-24T21:30:37.336Z

Last Modified Date
2024-09-24T21:30:37.336Z

Weakness Enumerations

CWE	URL
CWE-79	http://cwe.mitre.org/data/definitions/79.html

References

Reference URL	Reference Tags
https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5
https://github.com/concretecms/concretecms/pull/12183
https://github.com/concretecms/concretecms/pull/12184
https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes
https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-7398
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7398

History

Created	Old Value	New Value	Data Type	Notes
2024-10-06 10:55:55				Added to TrackCVE