2.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-2179

GHSA ID

GHSA-4m7h-34xm-4wjv

EPSS Score

0.26727%

CWE

CWE-20

Published

3/5/2024

Updated

9/3/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-2179

CVE-2024-2179: Concrete CMS Stored Cross-site Scripting vulnerability

Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 2.2 with a vector of AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N Concrete versions below 9 do not include group types so they are not affected by this vulnerability. Thanks Luca Fuda for reporting.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-2179

CVE-2024-2179:

2.2

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-2179

GHSA ID

GHSA-4m7h-34xm-4wjv

EPSS Score

0.26727%

CWE

CWE-20

Published

3/5/2024

Updated

9/3/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
concrete5/concrete5	composer	< 9.2.7	9.2.7

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient output encoding when rendering the group type name. The patch introduced getDisplayName() (which applies the h() escaping function) and replaced direct calls to getName() in these two methods. The original getName() method itself is a simple getter and not inherently vulnerable, but its unescaped usage in getSelectList() and getType() created the XSS vector. The high confidence comes from the direct correlation between the patched locations and the vulnerability description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-2179: Concrete CMS Stored Cross-site Scripting vulnerability

CVE-2024-2179:

2.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

2.2

2.2

CVE-2024-2179: Concrete CMS Stored Cross-site Scripting vulnerability

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI