Home > Vulnerability Database > CVE-2024-1245

Mend.io Vulnerability Database

CVE-2024-1245

Good to know:

Date: February 9, 2024

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.

Language: PHP

Severity Score

4.8

Related Resources (4)

Url: https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes

Url: https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-1245

Url: https://www.mend.io/vulnerability-database/CVE-2024-1245

Severity Score

4.8

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version https://www.cve.org/CVERecord?id=CVE-2024-1245

Learn More

CVSS v3.1

Base Score:	4.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-1245

Good to know:

Date: February 9, 2024

Language: PHP

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?