CVE-2024-7512

Improper Input Validation (CWE-20)

Published: Aug 12, 2024 / Updated: 3mo ago

010
CVSS 1.8EPSS 0.04%Low
CVE info copied to clipboard

Summary

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code.

Impact

This vulnerability allows a malicious administrator to inject and store malicious code in Board instances. When other users access these instances, the stored malicious code could be executed in their browsers, potentially leading to theft of sensitive information, session hijacking, or other client-side attacks. The impact is somewhat limited due to the high privileges required to exploit the vulnerability and the need for user interaction.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been addressed in Concrete CMS version 9.3.3.

Mitigation

1. Update Concrete CMS to version 9.3.3 or later. 2. If immediate updating is not possible, implement strict access controls for administrator accounts and monitor their activities closely. 3. Regularly audit Board instances for any suspicious content or code. 4. Implement Content Security Policy (CSP) headers to mitigate the impact of XSS attacks. 5. Educate users about the risks of clicking on suspicious links or interacting with unexpected content, even within the trusted CMS environment.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

First Article

Feedly found the first article mentioning CVE-2024-7512. See article

Aug 9, 2024 at 12:31 AM / CVE
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 9, 2024 at 12:32 AM
CVE Assignment

NVD published the first details for CVE-2024-7512

Aug 12, 2024 at 1:38 PM
CVSS

A CVSS base score of 1.8 has been assigned.

Aug 12, 2024 at 1:41 PM / nvd
CVSS

A CVSS base score of 4.8 has been assigned.

Aug 30, 2024 at 6:20 PM / nvd
Static CVE Timeline Graph

Affected Systems

Concretecms/concrete_cms
+null more

Patches

documentation.concretecms.org
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

References

9.3.3 Release Notes :: Concrete CMS
Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Versions below 9 are not affected.Thanks m3dium for reporting HackerOne 2486344.

News

Concrete CMS 9.3.3
Use Installatron's optional Automatic Update feature to automatically apply Concrete CMS updates as new versions are released, or use Installatron's Clone feature to duplicate an existing Concrete CMS install to test the 9.3.3 upgrade prior to applying it live. Concrete CMS version 9.3.3 is now available (security release).
CVE-2024-7512
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA: N. Versions below 9 are not affected. Thanks, m3dium for reporting.
CVE-2024-7512 | Concrete CMS up to 9.3.2 cross site scripting
A vulnerability was found in Concrete CMS up to 9.3.2 and classified as problematic . This issue affects some unknown processing. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-7512 . The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-7512 Stored XSS in Board instances
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA: N. Versions below 9 are not affected. Thanks, m3dium for...
CONCRETE CMS CVE-2024-7512 CVE-2024-7512 Stored XSS in Board instances Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 1.8 with vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA: N. Versions below 9 are not affected. Thanks, m3dium for reporting. https://www. cve.org/CVERecord?id=CVE-2024- 7512 https:// hackerone.com/reports/2486344 https:// documentation.concretecms.org/ 9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041 # ConcreteCMS # CVE_2024_7512 # bot
See 1 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI