VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 16, 2024· Updated Sep 25, 2024

Concrete CMS version 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block

CVE-2024-8661

Description

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N  Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. Thanks, Chu Quoc Khanh for reporting.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Concrete CMS 9.0.0-9.3.3 and <8.5.19 have a stored XSS vulnerability in the Next&Previous Nav block, allowing a rogue admin to inject malicious scripts.

Vulnerability

CVE-2024-8661 describes a stored cross-site scripting (XSS) vulnerability in the Next&Previous Nav block of Concrete CMS, affecting versions 9.0.0 through 9.3.3 and versions prior to 8.5.19. [1] The root cause is that the block's output is not sufficiently sanitized, allowing a malicious payload to be stored and later executed in the browsers of targeted users. [2]

Exploitation

Exploitation requires a user with administrative privileges. A rogue administrator can introduce a malicious payload into the Next&Previous Nav block. [1] The attack vector is network-based (AV:N) with low attack complexity (AC:L) and requires user interaction (UI:A) from the victim. [1] No special network position beyond standard web access is needed, but the attacker must have authenticated admin rights.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a victim's browser session. The CVSS v4 score is 4.6 (Medium) with a vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N, indicating limited impact on integrity but no direct impact on confidentiality or availability. [1]

Mitigation

The fix was released in Concrete CMS versions 8.5.19 and 9.3.4, with commits identified in pull request #12204. [2][3] Users should upgrade to these versions or later. The vulnerability was reported by Chu Quoc Khanh via HackerOne (issue 2610205). [4]

References
  1. NVD - CVE-2024-8661
  2. Misc. Fixes 09/10/24 by aembler · Pull Request #12204 · concretecms/concretecms
  3. 9.3.4 Release Notes
  4. 8.5.19 Release Notes

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
concrete5/concrete5Packagist
< 8.5.198.5.19
concrete5/concrete5Packagist
>= 9.0.0, < 9.3.49.3.4

Affected products

2

Patches

2
ce5ee2ab83fe

Fix H1 2610205

https://github.com/concretecms/concretecmsAndrew EmblerSep 10, 2024via ghsa
commit
1 file changed · +5 5
  • concrete/blocks/next_previous/controller.php+5 5 modified
    @@ -77,13 +77,13 @@ public function view()
         $nextCollection = $this->getNextCollection();
         if (is_object($nextCollection) && !$nextCollection->isError()) {
             $nextLinkURL = $nextCollection->getCollectionLink();
-            $nextLinkText = $nextCollection->getCollectionName();
+            $nextLinkText = h($nextCollection->getCollectionName());
         }
 
         $this->set('nextCollection', $nextCollection);
         $this->set('nextLinkURL', $nextLinkURL);
         $this->set('nextLinkText', $nextLinkText);
-        $this->set('nextLabel', $this->nextLabel);
+        $this->set('nextLabel', h($this->nextLabel));
 
         // Previous
         $previousLinkURL = '';
@@ -92,13 +92,13 @@ public function view()
 
         if (is_object($previousCollection) && !$previousCollection->isError()) {
             $previousLinkURL = $previousCollection->getCollectionLink();
-            $previousLinkText = $previousCollection->getCollectionName();
+            $previousLinkText = h($previousCollection->getCollectionName());
         }
 
         $this->set('previousCollection', $previousCollection);
         $this->set('previousLinkURL', $previousLinkURL);
         $this->set('previousLinkText', $previousLinkText);
-        $this->set('previousLabel', $this->previousLabel);
+        $this->set('previousLabel', h($this->previousLabel));
 
         // Parent / Up
         $parentLinkURL = '';
@@ -109,7 +109,7 @@ public function view()
 
         $this->set('parentCollection', $parentCollection);
         $this->set('parentLinkURL', $parentLinkURL);
-        $this->set('parentLabel', $this->parentLabel);
+        $this->set('parentLabel', h($this->parentLabel));
     }
 
     public function add()
3e548b416ae3

Fix H1 2610205

https://github.com/concretecms/concretecmsAndrew EmblerSep 10, 2024via ghsa
commit
1 file changed · +5 5
  • concrete/blocks/next_previous/controller.php+5 5 modified
    @@ -94,13 +94,13 @@ public function view()
         $nextCollection = $this->getNextCollection();
         if (is_object($nextCollection) && !$nextCollection->isError()) {
             $nextLinkURL = $nextCollection->getCollectionLink();
-            $nextLinkText = $nextCollection->getCollectionName();
+            $nextLinkText = h($nextCollection->getCollectionName());
         }
 
         $this->set('nextCollection', $nextCollection);
         $this->set('nextLinkURL', $nextLinkURL);
         $this->set('nextLinkText', $nextLinkText);
-        $this->set('nextLabel', $this->nextLabel);
+        $this->set('nextLabel', h($this->nextLabel));
 
         // Previous
         $previousLinkURL = '';
@@ -109,13 +109,13 @@ public function view()
 
         if (is_object($previousCollection) && !$previousCollection->isError()) {
             $previousLinkURL = $previousCollection->getCollectionLink();
-            $previousLinkText = $previousCollection->getCollectionName();
+            $previousLinkText = h($previousCollection->getCollectionName());
         }
 
         $this->set('previousCollection', $previousCollection);
         $this->set('previousLinkURL', $previousLinkURL);
         $this->set('previousLinkText', $previousLinkText);
-        $this->set('previousLabel', $this->previousLabel);
+        $this->set('previousLabel', h($this->previousLabel));
 
         // Parent / Up
         $parentLinkURL = '';
@@ -126,7 +126,7 @@ public function view()
 
         $this->set('parentCollection', $parentCollection);
         $this->set('parentLinkURL', $parentLinkURL);
-        $this->set('parentLabel', $this->parentLabel);
+        $this->set('parentLabel', h($this->parentLabel));
     }
 
     public function add()

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.