-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| concrete5/concrete5 | composer | < 8.5.21 | 8.5.21 |
| concrete5/concrete5 | composer | >= 9.0.0RC1, < 9.4.3 | 9.4.3 |
PHPPHPMiggo AIRoot Cause AnalysisThe vulnerability is a reflected Cross-Site Scripting (XSS) issue in Concrete CMS. The analysis of the provided patches reveals several vulnerable functions that were fixed to mitigate this issue.
The core of the vulnerability lies in the improper handling of user-supplied input that is later rendered on the page. The patches show two main areas of weakness:
URL Generation: The Concrete\Core\Utility\Service\Url::setVariable function was responsible for constructing URLs. Before the patch, it did not properly encode special characters like quotes and newlines. This allowed an attacker to craft a URL that, when processed by this function and embedded in an HTML attribute like href, could break out of the attribute and inject malicious JavaScript.
Unescaped Database Output: The functions Concrete\Controller\SinglePage\Dashboard\Users\Search::getFolderList and Concrete\Core\User\Search\ColumnSet\DefaultSet::getFolderName were fetching data from the database (specifically, treeNodeName) and returning it without proper HTML escaping. This data, if it contained malicious scripts, would be rendered directly on the dashboard pages, leading to XSS.
The patches address these issues by:
Url::setVariable to percent-encode quotes and strip newline characters, preventing attribute injection.h() (HTML escaping) function to the output of getFolderList and getFolderName to ensure that any user-controlled data from the database is safely rendered as text and not executed as code.While the vulnerability description specifically mentions the "Conversation Messages Dashboard Page," the fixes are in more general utility and user search functions. This suggests that these vulnerable components were likely used on that page, and fixing them resolved the vulnerability there and potentially in other parts of the application as well.
Ongoing coverage of React2Shell