CVE-2022-30120
Description
XSS in Concrete CMS /dashboard/blocks/stacks/view_details/ affecting ≤8.5.7 and 9.0-9.0.2, exploitable only in old browsers without XSS protection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS in Concrete CMS /dashboard/blocks/stacks/view_details/ affecting ≤8.5.7 and 9.0-9.0.2, exploitable only in old browsers without XSS protection.
The vulnerability is a stored cross-site scripting (XSS) issue in the /dashboard/blocks/stacks/view_details/ endpoint of Concrete CMS. The root cause is insufficient sanitization of built URLs, allowing an attacker to inject malicious scripts [2].
Exploitation requires an older browser with built-in XSS protection disabled; modern web browsers automatically escape input, preventing this attack. The attack vector is network, with high attack complexity, no privileges required, and user interaction needed (e.g., clicking a malicious link) [2].
Successful exploitation can lead to low integrity impact (e.g., script execution in the dashboard context) but no confidentiality or availability impact according to the CVSS v3.1 vector [2].
Mitigation is available. Concrete CMS has patched this vulnerability in versions 8.5.8 and 9.1.0 [1][3]. Users are advised to upgrade to these or later versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/corePackagist | >= 9.0.0, < 9.1.0 | 9.1.0 |
concrete5/corePackagist | < 8.5.8 | 8.5.8 |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-m2ww-6wv6-vw3cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-30120ghsaADVISORY
- documentation.concretecms.org/developers/introduction/version-history/858-release-notesghsax_refsource_MISCWEB
- documentation.concretecms.org/developers/introduction/version-history/910-release-notesghsax_refsource_MISCWEB
- hackerone.com/reports/1363598ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.