VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 24, 2024· Updated Jan 17, 2025

Concrete CMS Stored XSS in Image Editor Background Color

CVE-2024-8291

Description

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color.  A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks,  Alexey Solovyev for reporting. (CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS stored XSS in Image Editor Background Color allows rogue admin to inject malicious code; patched in versions 9.3.4 and 8.5.19.

Vulnerability

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to stored cross-site scripting (XSS) in the Image Editor Background Color feature. The root cause is insufficient sanitization of the "Save Background Image Colour" output on the file thumbnail dashboard single page [1][2]. This allows a malicious actor with admin privileges to inject arbitrary JavaScript or other malicious code.

Exploitation

The attack requires an authenticated user with administrative privileges. The attacker can add malicious code to the Thumbnails/Add-Type functionality, which is then stored and executed in the browsers of users who view the affected page. The attack complexity is considered high (AC:H) as it requires high privileges [3][4].

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute scripts in the context of the victim's browser. The CVSS v4 score is 2.1, indicating low impact on confidentiality and no impact on integrity or availability [3][4].

Mitigation

The vulnerability has been fixed in Concrete CMS versions 9.3.4 and 8.5.19 through commits dbce253 and 12183 for versions 8 and 9 respectively [1][3][4]. Users should upgrade to these patched versions to mitigate the risk.

References
  1. Misc fixes 082224 by aembler · Pull Request #12183 · concretecms/concretecms
  2. NVD - CVE-2024-8291
  3. 9.3.4 Release Notes
  4. 8.5.19 Release Notes

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
concrete5/concrete5Packagist
>= 9.0.0, < 9.3.49.3.4
concrete5/concrete5Packagist
< 8.5.198.5.19

Affected products

2

Patches

2
d97b43b8dd0b

Merge pull request #12183 from aembler/misc-fixes-082224

https://github.com/concretecms/concretecmsAndrew EmblerAug 22, 2024via ghsa
commit
3 files changed · +4 4
  • concrete/config/concrete.php+2 2 modified
    @@ -6,8 +6,8 @@
      *
      * @var string
      */
-    'version' => '9.3.3',
-    'version_installed' => '9.3.3',
+    'version' => '9.3.4',
+    'version_installed' => '9.3.4',
     'version_db' => '20240711000000', // the key of the latest database migration
 
     /*
  • concrete/single_pages/dashboard/system/files/thumbnails.php+1 1 modified
    @@ -120,7 +120,7 @@
         <div class="form-group">
             <?= $form->label('ftSaveAreaBackgroundColor', t('Image Editor Background Color')); ?>
             <div>
-                <?= $form_color->output('ftSaveAreaBackgroundColor', $type->getSaveAreaBackgroundColor(), ['preferredFormat' => 'hex']); ?>
+                <?= $form_color->output('ftSaveAreaBackgroundColor', h($type->getSaveAreaBackgroundColor()), ['preferredFormat' => 'hex']); ?>
             </div>
             <p class="help-block"><?= t('Leave this empty to use a transparent background.'); ?></p>
         </div>
  • concrete/views/dialogs/event/view_version.php+1 1 modified
    @@ -12,7 +12,7 @@
     <?php if (!$version->isApproved()) { ?>
         <div class="alert alert-info"><?=t('This occurrence belongs to an event version that is not yet approved.')?></div>
     <?php } ?>
-    <h3><?=$version->getName()?></h3>
+    <h3><?=h($version->getName())?></h3>
 
     <?php
     $repetitions = $version->getRepetitions();
dbce253166f6

Fix H1 921527

https://github.com/concretecms/concretecmsAndrew EmblerAug 22, 2024via ghsa
commit
1 file changed · +1 1
  • concrete/single_pages/dashboard/system/files/thumbnails.php+1 1 modified
    @@ -120,7 +120,7 @@
         <div class="form-group">
             <?= $form->label('ftSaveAreaBackgroundColor', t('Image Editor Background Color')); ?>
             <div>
-                <?= $form_color->output('ftSaveAreaBackgroundColor', $type->getSaveAreaBackgroundColor(), ['preferredFormat' => 'hex']); ?>
+                <?= $form_color->output('ftSaveAreaBackgroundColor', h($type->getSaveAreaBackgroundColor()), ['preferredFormat' => 'hex']); ?>
             </div>
             <p class="help-block"><?= t('Leave this empty to use a transparent background.'); ?></p>
         </div>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.