VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 8, 2024· Updated Sep 25, 2025

Concrete CMS version 9.0.0 through 9.3.2 and below 8.5.18 - Stored XSS in getAttributeSetName()

CVE-2024-7394

Description

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks, m3dium for reporting. (CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 contain a stored XSS in getAttributeSetName() allowing a rogue admin to inject malicious code.

Vulnerability

Overview Concrete CMS versions 9 through 9.3.2 and versions below 8.5.18 are vulnerable to a stored cross-site scripting (XSS) flaw in the getAttributeSetName() function. The vulnerability arises from insufficient sanitization of output when rendering attribute set names, enabling a rogue administrator to inject arbitrary JavaScript or HTML into the application [1].

Exploitation

Conditions Exploitation requires authenticated access with administrative privileges, as the injection occurs through administrative interfaces. The attack complexity is high, and user interaction is required (e.g., a victim administrator visits a page displaying the attribute set name). No network access beyond standard HTTP is needed, but the attacker must already have admin-level permissions [1][2].

Impact

Successful exploitation could lead to low confidentiality and integrity impact. The injected script executes in the context of the affected user's session, potentially allowing the attacker to perform actions on behalf of that user or steal sensitive information, though the scope remains unchanged [1]. The CVSS v4.0 score was initially 4.6 but later adjusted to 1.8 based on revised access complexity considerations [1][4].

Mitigation

The vulnerability was fixed in Concrete CMS versions 9.3.3 and 8.5.18, which include proper output sanitization via commit #12166 [2][3][4]. Users should upgrade to these patched versions immediately. There are no known workarounds, and the issue does not appear on the CISA KEV list.

References
  1. NVD - CVE-2024-7394
  2. Misc fixes 080124 by aembler · Pull Request #12166 · concretecms/concretecms
  3. 9.3.3 Release Notes
  4. 8.5.18 Release Notes

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
concrete5/concrete5Packagist
< 8.5.188.5.18
concrete5/concrete5Packagist
>= 9.0.0, < 9.3.39.3.3

Affected products

2

Patches

3
c08d9671cec4

Cherry-pick two commits from 9

https://github.com/concretecms/concretecmsAndrew EmblerAug 1, 2024via ghsa
commit
3 files changed · +4 4
  • concrete/blocks/rss_displayer/controller.php+1 1 modified
    @@ -157,7 +157,7 @@ public function view()
                 ++$i;
             }
         } catch (\Exception $e) {
-            $this->set('errorMsg', $e->getMessage());
+            $this->set('errorMsg', t('Unable to load RSS posts.'));
         }
 
         $this->set('posts', $posts);
  • concrete/blocks/rss_displayer/view.php+1 1 modified
    @@ -7,7 +7,7 @@
 <?php if (strlen($title) > 0) {
     ?>
     <div class="ccm-block-rss-displayer-header">
-    	<h5><?=$title?></h5>
+    	<h5><?=h($title)?></h5>
     </div>
 <?php 
 } ?>
  • concrete/config/concrete.php+2 2 modified
    @@ -6,8 +6,8 @@
      *
      * @var string
      */
-    'version' => '8.5.17',
-    'version_installed' => '8.5.17',
+    'version' => '8.5.18',
+    'version_installed' => '8.5.18',
     'version_db' => '20220319043123', // the key of the latest database migration
 
     /*
e7e0eb95a0c4

Fix stored XSS in attribute sets

https://github.com/concretecms/concretecmsAndrew EmblerAug 1, 2024via ghsa
commit
2 files changed · +2 2
  • concrete/elements/attribute/key/list.php+1 1 modified
    @@ -3,7 +3,7 @@
 
 foreach ($sortable_sets as $set) {
     ?>
-    <h4><?=$set->getAttributeSetName()?></h4>
+    <h4><?=$set->getAttributeSetDisplayName()?></h4>
     <ul class="item-select-list ccm-attribute-list-wrapper" data-sortable-attribute-set="<?=$set->getAttributeSetID()?>">
         <?php
         foreach ($set->getAttributeKeys() as $key) {
  • concrete/single_pages/dashboard/system/attributes/sets.php+1 1 modified
    @@ -44,7 +44,7 @@
 
                     <div class="form-group">
                         <?php echo $form->label('asName', t('Name'))?>
-                        <?php echo $form->text('asName', $set->getAttributeSetName())?>
+                        <?php echo $form->text('asName', $set->getAttributeSetDisplayName())?>
                     </div>
 
                     <div class="form-group">
3a5974e94892

Fix stored XSS in attribute sets

https://github.com/concretecms/concretecmsAndrew EmblerAug 1, 2024via ghsa
commit
2 files changed · +2 2
  • concrete/elements/attribute/key/list.php+1 1 modified
    @@ -3,7 +3,7 @@
 
 foreach ($sortable_sets as $set) {
     ?>
-    <h4><?=$set->getAttributeSetName()?></h4>
+    <h4><?=$set->getAttributeSetDisplayName()?></h4>
     <ul class="item-select-list ccm-attribute-list-wrapper" data-sortable-attribute-set="<?=$set->getAttributeSetID()?>">
         <?php
         foreach ($set->getAttributeKeys() as $key) {
  • concrete/single_pages/dashboard/system/attributes/sets.php+1 1 modified
    @@ -44,7 +44,7 @@
 
                     <div class="form-group">
                         <?php echo $form->label('asName', t('Name'))?>
-                        <?php echo $form->text('asName', $set->getAttributeSetName())?>
+                        <?php echo $form->text('asName', $set->getAttributeSetDisplayName())?>
                     </div>
 
                     <div class="form-group">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.