Home > Vulnerability Database > CVE-2024-7398

Mend.io Vulnerability Database

CVE-2024-7398

Date: September 24, 2024

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N . Thank you, Yusuke Uchida for reporting.

Language: PHP

Severity Score

5.4

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-7398

Url: https://github.com/concretecms/concretecms

Url: https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5

Url: https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes

Url: https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes

Url: https://github.com/concretecms/concretecms/pull/12183

Url: https://github.com/concretecms/concretecms/pull/12184

Url: https://www.mend.io/vulnerability-database/CVE-2024-7398

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-7398

Date: September 24, 2024

Language: PHP

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?