Moderate severityNVD Advisory· Published Oct 10, 2023· Updated Aug 2, 2024
CVE-2023-44763
CVE-2023-44763
Description
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | <= 9.2.1 | — |
Affected products
2- Concrete CMS/Concrete CMSdescription
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-wrp2-6v6j-hfmgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-44763ghsaADVISORY
- web.archive.org/web/20231026034159/https://documentation.concretecms.org/user-guide/editors-reference/dashboard/system-and-maintenance/files/allowed-file-typesghsaWEB
- www.concretecms.org/about/project-news/security/security-advisory-2023-10-25-concrete-cms-rejects-cve-2023-44763ghsaWEB
News mentions
0No linked articles in our index yet.