CVE-2022-43695
Description
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 8.5.10 | 8.5.10 |
concrete5/concrete5Packagist | >= 9.0.0, < 9.1.3 | 9.1.3 |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
Vulnerability mechanics
Root cause
"Missing output sanitization of entity names in the entity association dashboard page allows stored cross-site scripting."
Attack vector
An attacker with dashboard access can create or modify an Express entity and supply a name containing malicious JavaScript (e.g., `
Affected code
The vulnerability exists in the dashboard page at `/dashboard/system/express/entities/associations`. The code path that renders entity names in this dashboard page does not sanitize output, allowing stored XSS when an entity name containing malicious HTML/JavaScript is displayed.
What the fix does
The patch [patch_id=1641218] adds sanitization to entity names rendered on the entity association dashboard page. By escaping HTML output before displaying entity names, the fix prevents injected script tags or event handlers from executing in the browser. This closes the stored XSS vector that existed when unsanitized entity names were rendered in the dashboard interface.
Preconditions
- authAttacker must have dashboard access to create or modify Express entities.
- inputThe entity name field must accept arbitrary input without sanitization.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8699-h45g-7hm8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43695ghsaADVISORY
- documentation.concretecms.org/developers/introduction/version-history/8510-release-notesghsaWEB
- documentation.concretecms.org/developers/introduction/version-history/913-release-notesghsaWEB
- github.com/concretecms/concretecms/releases/8.5.10ghsaWEB
- github.com/concretecms/concretecms/releases/9.1.3ghsaWEB
- www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31ghsaWEB
News mentions
0No linked articles in our index yet.