Stored XSS in Generate Board Name Input Field
Description
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v4 score of 4.6 with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Concrete versions below 9 are not affected by this vulnerability.Thanks fhAnso for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS 9.0.0–9.3.2 stores XSS via unsanitized Name input in dashboard board instance creation, exploitable by administrators.
Vulnerability
Overview
CVE-2024-4353 is a stored cross-site scripting (XSS) vulnerability affecting Concrete CMS versions 9.0.0 through 9.3.2. The bug resides in the 'generate dashboard board instance' functionality, where the 'Name' input field does not sufficiently validate or sanitize user-supplied data. This allows a malicious administrator to inject arbitrary JavaScript code, which is then stored and executed in the context of other administrators viewing the board instance [1][4].
Exploitation
Details
Exploitation requires an authenticated user with administrative privileges, as the dashboard board creation feature is restricted to administrators. The attack vector is network-based (AV:N) with low attack complexity (AC:L) and no special attack prerequisites (AT:N). However, successful exploitation depends on user interaction (UI:A)—a target administrator must access the crafted board instance page. The fix, implemented in commit ff5a2aba, applies HTML escaping via the h() function to instance names in several templates, preventing script execution [2][4].
Impact
If exploited, an attacker can inject malicious scripts that execute in the browser of other administrators viewing the affected dashboard pages. This can lead to disclosure of sensitive information or manipulation of the CMS interface within the victim's session. The CVSS v4 score is 4.6 (medium), reflecting the need for high privileges and user interaction, but also acknowledging the potential for confidentiality and integrity impacts of low severity [1].
Mitigation
The vulnerability is fixed in Concrete CMS version 9.3.3, which includes the sanitization patch [3]. Users running version 9.0.0 through 9.3.2 should upgrade to 9.3.3 or later. No workarounds have been published. Versions prior to 9 are not affected [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | >= 9.0.0, <= 9.3.2 | — |
Affected products
2- Concrete CMS/Concrete CMSv5Range: 9.0.0
Patches
1ff5a2aba7fbcMerge pull request #12151 from concretecms/board-instance-names
3 files changed · +10 −6
concrete/blocks/board/edit.php+1 −1 modified@@ -20,7 +20,7 @@ ?> <ul class="ccm-inline-toolbar ccm-ui" data-inline-toolbar="board"> <li><a target="_blank" href="<?php echo Url::to('/dashboard/boards/instances/details', $boardInstanceId)?>"> - <?=t('Instance: %s', $instanceName)?> + <?=t('Instance: %s', h($instanceName))?> </a></li> <?php /** @phpstan-ignore-next-line */
concrete/single_pages/dashboard/boards/instances/details.php+2 −2 modified@@ -13,7 +13,7 @@ </div> <div class="col-8"> - <h2><?=$instance->getBoardInstanceName()?></h2> + <h2><?= h($instance->getBoardInstanceName()) ?></h2> <hr> @@ -42,7 +42,7 @@ ?> <tr> <td><?=$formatter->getListIconElement()?></td> - <td><?=$configuredSource->getName()?></td> + <td><?= h($configuredSource->getName()) ?></td> <td class="text-center"><span class="badge bg-info"><?=$itemCount?></span></td> </tr> <?php } ?>
concrete/single_pages/dashboard/boards/instances.php+7 −3 modified@@ -25,15 +25,19 @@ </tr> </thead> <tbody> - <?php foreach($instances as $instance) { + <?php + foreach($instances as $instance) { $instanceName = $instance->getBoardInstanceName(); + $href = URL::to('/dashboard/boards/instances/details', $instance->getBoardInstanceID()); if (!$instanceName) { $instanceName = t('(Untitled)'); } ?> <tr> - <td><a href="<?=URL::to('/dashboard/boards/instances/details', - $instance->getBoardInstanceID())?>"><?=$instanceName?></a> + <td> + <a href="<?= $href ?>"> + <?= h($instanceName) ?> + </a> </td> <td><?=$instance->getDateCreatedObject()->format('Y-m-d H:i:s')?></td>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-3cpf-jmmc-8jm3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-4353ghsaADVISORY
- documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notesghsaWEB
- github.com/concretecms/concretecms/commit/ff5a2aba7fbc1ff0368202a2c0afddea47136dafghsaWEB
- github.com/concretecms/concretecms/pull/12151ghsaWEB
News mentions
0No linked articles in our index yet.