CVE-2022-43694
Description
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 8.5.10 | 8.5.10 |
concrete5/concrete5Packagist | >= 9.0.0, < 9.1.3 | 9.1.3 |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
Vulnerability mechanics
Root cause
"Un-sanitized output in an API endpoint of the Image Manipulation Library allows reflected cross-site scripting (XSS)."
Attack vector
An attacker can craft a malicious URL containing un-sanitized input that targets the Image Manipulation Library API endpoint. When a victim with access to the Concrete CMS dashboard clicks or is redirected to this URL, the injected script executes in the context of the victim's session. The attack is reflected (non-persistent) and requires the victim to be authenticated to the Concrete CMS instance. The advisory credits Bogdan and Adrian Tiron from FORTBRIDGE for reporting this issue [patch_id=1641219].
Affected code
The patch does not show the specific vulnerable file or function. The advisory states that the vulnerability exists in an API endpoint used by the Image Manipulation Library in Concrete CMS versions below 8.5.10 and between 9.0.0 and 9.1.2.
What the fix does
The patch entry in the changelog states that output in the affected API endpoint was sanitized to prevent reflected XSS [patch_id=1641219]. The specific code diff is not included in the provided bundle, so the exact sanitization mechanism (e.g., HTML entity encoding, escaping) is not visible. The fix ensures that any user-controllable data echoed back by the Image Manipulation Library API is properly escaped before being sent to the browser, preventing script injection.
Preconditions
- authThe victim must be authenticated to the Concrete CMS dashboard.
- networkThe attacker must be able to deliver a crafted URL to the victim (e.g., via phishing email or link).
- configThe target Concrete CMS instance must be running a version below 8.5.10 or between 9.0.0 and 9.1.2.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-jfmc-3975-fv5fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43694ghsaADVISORY
- documentation.concretecms.org/developers/introduction/version-history/8510-release-notesghsaWEB
- documentation.concretecms.org/developers/introduction/version-history/913-release-notesghsaWEB
- github.com/concretecms/concretecms/releases/8.5.10ghsaWEB
- github.com/concretecms/concretecms/releases/9.1.3ghsaWEB
- www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31ghsaWEB
News mentions
0No linked articles in our index yet.