Moderate severityNVD Advisory· Published Oct 23, 2023· Updated Aug 2, 2024
CVE-2023-44760
CVE-2023-44760
Description
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | <= 9.2.1 | — |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-4qv6-37xq-mgq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-44760ghsaADVISORY
- github.com/sromanhu/CVE-2023-44760_ConcreteCMS-Stored-XSS---TrackingCodes/issues/1ghsaWEB
- www.concretecms.org/about/project-news/security/security-advisory-2023-10-31-concrete-cms-rejects-cve-2023-44760-and-cve-2023-44766ghsaWEB
News mentions
0No linked articles in our index yet.