CVE-2022-43968
Description
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 8.5.10 | 8.5.10 |
concrete5/concrete5Packagist | >= 9.0.0, < 9.1.3 | 9.1.3 |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
Vulnerability mechanics
Root cause
"Un-sanitized output on the dashboard icons page allows reflected cross-site scripting (XSS)."
Attack vector
An attacker can craft a malicious URL containing JavaScript payload in a parameter that is reflected unsanitized on the dashboard icons page. When a logged-in administrator visits this crafted URL, the injected script executes in the context of the dashboard session. The attacker does not require authentication but relies on tricking an authenticated admin user to click the link. The vulnerability is classified as reflected XSS due to un-sanitized output [patch_id=1641211].
Affected code
The vulnerability exists in the dashboard icons page of Concrete CMS. The advisory states that output on the icons dashboard page was not sanitized, leading to reflected XSS. The patch does not show the specific file or function changes, only the changelog entry referencing CVE-2022-43968.
What the fix does
The fix sanitizes output on the icons dashboard page before rendering it to the browser. The changelog entry for CVE-2022-43968 states "Sanitized output on the icons dashboard page to prevent reflected XSS" [patch_id=1641211]. By applying proper output encoding or sanitization, any attacker-supplied input is neutralized so it cannot execute as JavaScript. This closes the reflected XSS vector on that page.
Preconditions
- authAttacker must trick an authenticated Concrete CMS administrator into visiting a crafted URL.
- configThe target Concrete CMS instance must be running a version below 8.5.10 or between 9.0.0 and 9.1.2.
- networkThe attacker must be able to deliver a URL containing a malicious payload to the victim (e.g., via email or social engineering).
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8782-xgh5-r7mvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43968ghsaADVISORY
- documentation.concretecms.org/developers/introduction/version-history/8510-release-notesghsaWEB
- documentation.concretecms.org/developers/introduction/version-history/913-release-notesghsaWEB
- github.com/concretecms/concretecms/releases/8.5.10ghsaWEB
- github.com/concretecms/concretecms/releases/9.1.3ghsaWEB
- www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31ghsaWEB
News mentions
0No linked articles in our index yet.