Concrete CMS Stored XSS in Board instances

Vulnerability

Overview

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored cross-site scripting (XSS) vulnerability within Board instances [1][2]. The root cause is insufficient sanitization of input data processed by Board components, allowing an authenticated administrator with high privileges to inject arbitrary malicious code that is then stored and executed in the context of other users' browsers [2].

Attack

Vector and Exploitation

Exploitation of this vulnerability requires an attacker to possess administrative privileges on a Concrete CMS installation and to have access to the Board editor functionality [1][2]. The attack is network-based, with low attack complexity, and requires user interaction from a victim to trigger the stored payload [2]. A rogue administrator can inject malicious script into a Board instance, which subsequently executes when an authenticated victim views the affected Board page.

Impact

A successful attack could lead to limited confidentiality impact, as the CVSS vector indicates VC:L (no impact on integrity or availability) [2]. The vulnerability does not allow for privilege escalation, but it could enable an attacker to perform actions on behalf of a victim within their session, potentially accessing sensitive information or performing unauthorized actions within the application scope.

Mitigation

Status

The vulnerability is patched in Concrete CMS version 9.3.3, released on the same day as the advisory [1]. The latest release notes explicitly mention several bug fixes and security improvements, including better output sanitization in the Top Navigation Bar block, though the Board XSS fix is not individually itemized [1]. Users should upgrade to version 9.3.3 or later to remediate this issue. Versions below 9.0.0 are not affected [2].