Vulnerability Description
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Concretecms | Concrete Cms | < 8.5.21 |
Related Weaknesses (CWE)
References
- https://documentation.concretecms.org/9-x/developers/introduction/version-historRelease Notes
- https://documentation.concretecms.org/developers/introduction/version-history/85Release Notes
- https://www.concretecms.org/downloadProduct
FAQ
What is CVE-2025-8571?
CVE-2025-8571 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session coo...
How severe is CVE-2025-8571?
CVE-2025-8571 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-8571?
Check the references section above for vendor advisories and patch information. Affected products include: Concretecms Concrete Cms.