Vulnerability Description
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Concretecms | Concrete Cms | 9.2.1 |
Related Weaknesses (CWE)
References
- https://github.com/sromanhu/ConcreteCMS-Arbitrary-file-upload-ThumbnailExploitThird Party Advisory
- https://web.archive.org/web/20231026034159/https://documentation.concretecms.org
- https://www.concretecms.org/about/project-news/security/security-advisory-2023-1
- https://github.com/sromanhu/ConcreteCMS-Arbitrary-file-upload-ThumbnailExploitThird Party Advisory
- https://web.archive.org/web/20231026034159/https://documentation.concretecms.org
- https://www.concretecms.org/about/project-news/security/security-advisory-2023-1
FAQ
What is CVE-2023-44763?
CVE-2023-44763 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is suppos...
How severe is CVE-2023-44763?
CVE-2023-44763 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-44763?
Check the references section above for vendor advisories and patch information. Affected products include: Concretecms Concrete Cms.