Miggo Logo
Miggo Vulnerability Database
CVE-2022-43556

CVE-2022-43556: Concrete CMS vulnerable to cross-site scripting in the text input field

4.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-43556
GHSA ID
GHSA-xj33-8r43-r227
EPSS Score
0.78047%
CWE
CWE-79
Published
12/6/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
concrete5/concrete5composer< 8.5.108.5.10
concrete5/concrete5composer>= 9.0.0, < 9.1.39.1.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unsanitized output in dashboard breadcrumbs. Release notes explicitly mention 'Sanitized dashboard breadcrumbs to prevent stored XSS' as the fix for CVE-2022-43556. The breadcrumb generation functions in dashboard controllers would be the logical location for this vulnerability, as they handle user-controlled data display. While exact code isn't shown, the pattern matches common XSS vulnerabilities where output encoding was missing in UI components handling user-supplied data.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*on*r*t* *MS (*orm*rly *on*r*t**) **low *.*.** *n* **tw**n *.*.* *n* *.*.* is vuln*r**l* to XSS in t** t*xt input *i*l* sin** t** r*sult **s**o*r* p*** output is not s*nitiz**. T** *on*r*t* *MS s**urity t**m **s r*nk** t*is *.* wit* *VSS v*.* v**tor

Reasoning

T** vuln*r**ility st*ms *rom uns*nitiz** output in **s**o*r* *r****rum*s. R*l**s* not*s *xpli*itly m*ntion 'S*nitiz** **s**o*r* *r****rum*s to pr*v*nt stor** XSS' *s t** *ix *or *V*-****-*****. T** *r****rum* **n*r*tion *un*tions in **s**o*r* *ontrol