VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 17, 2024· Updated Sep 18, 2024

Stored XSS in the "Top Navigator Bar" block

CVE-2024-8660

Description

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS versions 9.0.0–9.3.3 are vulnerable to stored XSS in the Top Navigator Bar block due to unsanitized output, allowing a rogue admin to execute malicious scripts on the home page.

Vulnerability

Details

CVE-2024-8660 is a stored cross-site scripting (XSS) vulnerability found in Concrete CMS versions 9.0.0 through 9.3.3. The flaw resides in the "Top Navigator Bar" block, where user-supplied input (such as branding text and the search action URL) was output without proper sanitization. Specifically, the block's template did not use the h() function (which HTML-encodes output) when rendering $brandingText and $searchAction values [2][4].

Exploitation

Path

To exploit this vulnerability, an attacker must already be an authenticated administrator with permission to edit the Top Navigator Bar block. The attacker can inject a malicious JavaScript payload into one of the unsanitized fields (e.g., the branding text). When any user visits the home page where the block is displayed, the payload executes within the victim's browser session [1]. The CVSS v4 vector (AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) indicates that user interaction (visiting the page) is required, and the attack complexity is low [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the affected site. This could lead to session hijacking, defacement, or further malicious actions on behalf of the victim. The CVSS v4 score of 4.6 (medium severity) reflects the requirement for administrative privileges to inject the payload [1].

Mitigation

The vulnerability is fixed in Concrete CMS version 9.3.4, released on 2024-09-17. The fix consists of applying h() (htmlspecialchars) to the $brandingText and $searchAction variables in the Top Navigator Bar template [2][4]. Administrators are strongly advised to upgrade to version 9.3.4 or later. Versions below 9.0.0 are not affected because they do not include the Top Navigator Bar block [1].

References
  1. NVD - CVE-2024-8660
  2. Add h in the template of top navigation bar by hissy · Pull Request #12128 · concretecms/concretecms
  3. Merge pull request #12128 from hissy/fix/top-navigation-bar-title-text · concretecms/concretecms@f5a01c8

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
concrete5/concrete5Packagist
>= 9.0.0, < 9.3.39.3.3

Affected products

2

Patches

1
f5a01c88fb26

Merge pull request #12128 from hissy/fix/top-navigation-bar-title-text

https://github.com/concretecms/concretecmsAndrew EmblerAug 1, 2024via ghsa
commit
2 files changed · +6 6
  • concrete/blocks/top_navigation_bar/edit.php+1 1 modified
    @@ -69,7 +69,7 @@
         </div>
         <div class="mb-3" v-if="brandingMode == 'logoText' || brandingMode == 'text'">
             <label class="form-label" for="logo"><?=t('Text Branding')?></label>
-            <input type="text" name="brandingText" class="form-control" value="<?=$brandingText ?? null ?>">
+            <input type="text" name="brandingText" class="form-control" value="<?= h($brandingText) ?? null ?>">
             <div class="help-block"><?=t('Leave blank to inherit this text from the global site name.')?></div>
         </div>
         <div class="mb-3" v-if="brandingMode == 'logoText' || brandingMode == 'logo'">
  • concrete/blocks/top_navigation_bar/view.php+5 5 modified
    @@ -11,7 +11,7 @@
                     <?php if (isset($transparentLogo)) { ?>
                         <img src="<?=$transparentLogo->getURL()?>" class="logo-transparent align-text-center">
                     <?php } ?>
-                    <?=$brandingText?>
+                    <?=h($brandingText)?>
                 <?php } ?>
                 <?php if ($logo && ($includeBrandLogo && !$includeBrandText)) { ?>
                     <img src="<?=$logo->getURL()?>" class="logo">
@@ -21,7 +21,7 @@
                 <?php } ?>
 
                 <?php if (!$includeBrandLogo && $includeBrandText) { ?>
-                    <?=$brandingText?>
+                    <?=h($brandingText)?>
                 <?php } ?>
             </a>
 
@@ -42,7 +42,7 @@
                 </button>
                 <div class="collapse navbar-collapse" id="top-navigation-bar-<?=$bID?>">
                     <?php if ($includeSearchInput) { ?>
-                        <form method="get" action="<?=$searchAction?>">
+                        <form method="get" action="<?=h($searchAction)?>">
                             <div class="input-group">
                                 <input class="form-control border-end-0 border" type="search" name="query" placeholder="<?=t('Search')?>" aria-label="<?=t('Search')?>">
                                 <span class="input-group-append">
@@ -78,7 +78,7 @@
                             if (count($item->getChildren()) > 0) { ?>
                                 <li class="nav-item dropdown">
                                     <a class="nav-link<?= $item->isActiveParent() ? " nav-path-selected" : ""; ?> dropdown-toggle<?= $item->isActive() ? " active" : ""; ?>" data-concrete-toggle="dropdown" target="<?=$controller->getPageItemNavTarget($item)?>" href="<?= $item->getUrl() ?>">
-                                        <?=$item->getName()?>
+                                        <?=h($item->getName())?>
                                     </a>
                                     <ul class="dropdown-menu">
                                         <?php foreach ($item->getChildren() as $dropdownChild) { ?>
@@ -87,7 +87,7 @@
                                     </ul>
                                 </li>
                             <?php } else { ?>
-                                <li class="nav-item"><a class="nav-link<?= $item->isActiveParent() ? " nav-path-selected" : ""; ?><?= $item->isActive() ? " active" : ""; ?>" target="<?=$controller->getPageItemNavTarget($item)?>" href="<?=$item->getUrl()?>"><?=$item->getName()?></a></li>
+                                <li class="nav-item"><a class="nav-link<?= $item->isActiveParent() ? " nav-path-selected" : ""; ?><?= $item->isActive() ? " active" : ""; ?>" target="<?=$controller->getPageItemNavTarget($item)?>" href="<?=$item->getUrl()?>"><?=h($item->getName())?></a></li>
                             <?php } ?>
                         <?php } ?>
                     </ul>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.