CVE-2022-43967
Description
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 8.5.10 | 8.5.10 |
concrete5/concrete5Packagist | >= 9.0.0, < 9.1.3 | 9.1.3 |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
Vulnerability mechanics
Root cause
"Unsanitized output in the multilingual dashboard report allows reflected cross-site scripting (XSS)."
Attack vector
An attacker can craft a URL containing malicious JavaScript payload in a parameter that the multilingual report reflects without sanitization. When a logged-in administrator visits this crafted URL, the payload executes in the context of the dashboard session. The attack requires no special privileges beyond the victim being authenticated to the Concrete CMS dashboard. The advisory classifies this as a reflected XSS vulnerability [patch_id=1641214].
Affected code
The vulnerability exists in the multilingual dashboard report page. The advisory states that output was not sanitized before being rendered in this report [patch_id=1641214]. The exact file path is not shown in the patch, but the CHANGELOG entry confirms the affected component is the "multilingual dashboard report."
What the fix does
The fix sanitizes output in the multilingual dashboard report before rendering it to the browser. The CHANGELOG entry for version 8.5.10 explicitly states "Sanitized output in multilingual dashboard report to prevent reflected XSS" [patch_id=1641214]. By applying proper output encoding or escaping to user-controllable data displayed in this report, the application prevents injected HTML or JavaScript from being interpreted by the browser.
Preconditions
- inputAttacker must craft a URL with a malicious payload in a parameter reflected by the multilingual report page.
- authVictim must be logged into the Concrete CMS dashboard and visit the crafted URL.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-vq39-q549-g786ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43967ghsaADVISORY
- documentation.concretecms.org/developers/introduction/version-history/8510-release-notesghsaWEB
- documentation.concretecms.org/developers/introduction/version-history/913-release-notesghsaWEB
- github.com/concretecms/concretecms/releases/8.5.10ghsaWEB
- github.com/concretecms/concretecms/releases/9.1.3ghsaWEB
- www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31ghsaWEB
News mentions
0No linked articles in our index yet.