Concrete CMS Stored XSS Vulnerability in Calendar Event Addition Feature
Description
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Thank you, Yusuke Uchida for reporting. CNA updated this risk rank on 20 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS stored XSS in calendar event names allows scripts to execute when events are created or modified by privileged users.
Vulnerability
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 contain a stored cross-site scripting (XSS) vulnerability in the calendar event addition feature. The root cause is that the calendar event name field is not sanitized on output, allowing malicious HTML or JavaScript to be stored and later executed in the context of a user's browser [1].
Exploitation
An attacker must have permission to create event calendars in order to inject a malicious script into the event name field. Additionally, users or groups with permission to modify event calendars can also embed scripts. The attack is performed over the network (AV:N) with low attack complexity; however, it requires high privileges (PR:H) and user interaction (UI:A) to trigger the execution [1]. The CVSS v4 score is 4.6, indicating a moderate severity [1].
Impact
Successful exploitation allows an attacker to execute arbitrary scripts in the context of a victim's session when the event name is rendered. This could lead to data theft, session hijacking, or other client-side attacks, though the confidentiality impact is limited (SC:L) [1].
Mitigation
Concrete CMS addressed this vulnerability in version 9.3.4 for the 9.x branch and version 8.5.19 for the 8.x branch. Patches were committed in pull requests #12183 and #12184 (for version 9) and in commit 7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5 (for version 8) [2][3][4]. Users are advised to upgrade immediately. No workarounds have been provided.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | >= 9.0.0, < 9.3.4 | 9.3.4 |
concrete5/concrete5Packagist | < 8.5.19 | 8.5.19 |
Affected products
2- Concrete CMS/Concrete CMSv5Range: 9.0.0
Patches
17c8ed0d1d9dbix H1 2400810
1 file changed · +1 −1
concrete/views/dialogs/event/view_version.php+1 −1 modified@@ -12,7 +12,7 @@ <?php if (!$version->isApproved()) { ?> <div class="alert alert-info"><?=t('This occurrence belongs to an event version that is not yet approved.')?></div> <?php } ?> - <h3><?=$version->getName()?></h3> + <h3><?=h($version->getName())?></h3> <?php $repetitions = $version->getRepetitions();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-x8h2-255q-jg4xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-7398ghsaADVISORY
- documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notesghsaWEB
- documentation.concretecms.org/developers/introduction/version-history/8519-release-notesghsaWEB
- github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5ghsaWEB
- github.com/concretecms/concretecms/pull/12183ghsaWEB
- github.com/concretecms/concretecms/pull/12184ghsaWEB
News mentions
0No linked articles in our index yet.