Miggo Logo

CVE-2021-28145: Concrete CMS Cross-site Scripting via Survey Blocks

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.42105%
Published
5/24/2022
Updated
8/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
concrete5/concrete5composer< 8.5.58.5.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The exact commit diff or code changes are not provided, making it challenging to directly identify the vulnerable functions. The vulnerability is related to XSS via survey blocks in Concrete CMS, which typically involves input processing and output rendering functions. Without specific code changes or function names from the patch, we cannot confidently list the vulnerable functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*r*t* *MS (*orm*rly *on*r*t**) ***or* *.*.* *llows r*mot* *ut**nti**t** us*rs to *on*u*t *ross-sit* S*riptin* (XSS) *tt**ks vi* * *r**t** surv*y *lo*k. T*is r*quir*s *t l**st **itor privil***s.

Reasoning

T** *x**t *ommit *i** or *o** ***n**s *r* not provi***, m*kin* it ***ll*n*in* to *ir**tly i**nti*y t** vuln*r**l* *un*tions. T** vuln*r**ility is r*l*t** to XSS vi* surv*y *lo*ks in *on*r*t* *MS, w*i** typi**lly involv*s input pro**ssin* *n* output r