CVE-2023-28820

An attacker with the ability to create or edit an RSS Displayer block can inject arbitrary JavaScript into the `href` attribute of a link element, because the input is not sanitized [patch_id=1640886]. The stored XSS payload executes when a victim views the page containing the malicious RSS Displayer block. No special network position is required beyond normal web access to the Concrete CMS instance. The advisory does not specify additional preconditions such as authentication level.

The CHANGELOG entry for version 9.1.0 lists a security fix referencing HackerOne report 1483104 and notes "Fixed several places where we weren’t sanitizing file names in the file manager and stacks page." However, the patch file provided (f1a0eb94bc70d74c58ec8746a7a940cf8257bf22) only updates CHANGELOG.md and does not contain the actual code diff that fixes the vulnerability. Therefore, the specific functions, files, or code paths at fault are not visible in this bundle.

The provided patch (f1a0eb94bc70d74c58ec8746a7a940cf8257bf22) only updates CHANGELOG.md to document the security fixes in version 9.1.0, including the fix for HackerOne report 1483104 and sanitization of file names. The actual code changes that close the vulnerability are not included in this bundle. Based on the CVE description, the fix would involve sanitizing the `href` attribute input in the RSS Displayer block to prevent stored XSS.