Vulnerability Description
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.
CVSS Score
2.0
LOW
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Concretecms | Concrete Cms | < 9.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/concretecms/concretecms/releasesRelease Notes
- https://www.concretecms.org/about/project-news/security/concrete-cms-security-adVendor Advisory
- https://github.com/concretecms/concretecms/releasesRelease Notes
- https://www.concretecms.org/about/project-news/security/concrete-cms-security-adVendor Advisory
FAQ
What is CVE-2023-28820?
CVE-2023-28820 is a vulnerability with a CVSS score of 2.0 (LOW). Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.
How severe is CVE-2023-28820?
CVE-2023-28820 has been rated LOW with a CVSS base score of 2.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-28820?
Check the references section above for vendor advisories and patch information. Affected products include: Concretecms Concrete Cms.