Medium severity6.1NVD Advisory· Published Mar 15, 2017· Updated May 13, 2026

CVE-2017-6908

Description

An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability exists due to insufficient filtration of user-supplied data (fID) passed to the "concrete5-legacy-master/web/concrete/tools/files/selector_data.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Affected products

Concrete5/Concrete5
cpe:2.3:a:concrete5:concrete5:*:*:*:*:*:*:*:*
Range: <=5.6.3.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/concrete5/concrete5-legacy/commit/62046f511fc02ad783ad170404c80db3c69f0408nvdPatchThird Party Advisory
github.com/concrete5/concrete5-legacy/issues/1948nvdExploitThird Party Advisory
www.securityfocus.com/bid/96891nvdThird Party AdvisoryVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000