Vulnerability Description
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting. CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Concretecms | Concrete Cms | < 8.5.19 |
Related Weaknesses (CWE)
References
- https://documentation.concretecms.org/9-x/developers/introduction/version-historRelease Notes
- https://documentation.concretecms.org/developers/introduction/version-history/85Release Notes
- https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858Patch
- https://github.com/concretecms/concretecms/pull/12183Patch
- https://github.com/concretecms/concretecms/pull/12184Patch
FAQ
What is CVE-2024-7398?
CVE-2024-7398 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users o...
How severe is CVE-2024-7398?
CVE-2024-7398 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-7398?
Check the references section above for vendor advisories and patch information. Affected products include: Concretecms Concrete Cms.