Stored XSS in Folder Function by Rogue Admin
Description
Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Concrete CMS 9.0.0–9.3.9 stores XSS in folder names via unsanitized 'Add Folder' input, exploitable only by rogue admins with CVSS 4.8.
Vulnerability
Analysis
CVE-2025-0660 is a stored cross-site scripting (XSS) vulnerability in Concrete CMS versions 9.0.0 through 9.3.9. The root cause is insufficient input sanitization in the "Add Folder" functionality, allowing malicious JavaScript payloads to be stored as folder names.[1][3]
Attack
Vector and Prerequisites
An attacker must have administrative privileges to exploit this flaw, making it a high-privilege, low-complexity attack. The attacker can inject XSS payloads when creating or renaming folders. The vulnerability is triggered when an admin user interacts with the folder selector UI, which previously rendered folder names without sanitization.[4] The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N) reflects that the attack requires user interaction and has limited impact on confidentiality within the scope of the session.[1]
Impact
Successful exploitation allows a rogue administrator to execute arbitrary JavaScript in the context of another administrator's session, potentially leading to disclosure of sensitive information visible within the current scope. The impact is limited to confidentiality with low severity, and no integrity or availability impact is expected.[1][3]
Mitigation
The vulnerability is fixed in Concrete CMS version 9.4.0. Users are advised to upgrade immediately to this patched version. The fix also includes sanitization of folder names in the folder selector dropdown, as demonstrated in the associated pull requests for the core and bedrock repositories.[1][2][4] Versions below 9.0.0 are not affected.[3]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
concrete5/concrete5Packagist | < 9.4.0RC1 | 9.4.0RC1 |
Affected products
3- Concrete CMS/Concrete CMSv5Range: 9.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/concretecms/bedrock/pull/370ghsapatchWEB
- github.com/concretecms/concretecms/pull/12454ghsapatchWEB
- github.com/advisories/GHSA-pvmx-mjmh-jfcxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-0660ghsaADVISORY
- documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notesghsarelease-notesWEB
News mentions
0No linked articles in our index yet.