4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-8660

CVE-2024-8660: Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page. This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-8660

CVE-2024-8660:

4.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
concrete5/concrete5	composer	>= 9.0.0, < 9.3.3	9.3.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing h() HTML escaping in multiple template files. The commit diff shows h() was added to sanitize user-controlled inputs/outputs in:

edit.php's brandingText input field (admin-controlled)
view.php's $brandingText outputs (displayed to users)
view.php's $searchAction URL (user-influenced)
view.php's $item->getName() (menu item names). These locations previously echoed raw user input, enabling XSS. The high confidence comes from direct evidence in the patch and CWE-79 context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-8660: Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block

CVE-2024-8660:

4.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

4.8

4.8

CVE-2024-8660: Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI