CVE-2024-8660

{"id": "CVE-2024-8660", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}], "cvssMetricV40": [{"type": "Secondary", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 4.6, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "LOW", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-09-17T19:15:28.953", "references": [{"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes", "tags": ["Release Notes"], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}, {"url": "https://github.com/concretecms/concretecms/pull/12128", "tags": ["Issue Tracking", "Patch"], "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "description": [{"lang": "en", "value": "CWE-79"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Concrete CMS versions 9.0.0 through 9.3.3 are affected by a\nstored XSS vulnerability in the \"Top Navigator Bar\" block.\nSince the \"Top Navigator Bar\" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6\nwith vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . This\ndoes not affect versions below 9.0.0 since they do not have the Top\nNavigator Bar Block. Thanks, Chu Quoc Khanh for reporting."}, {"lang": "es", "value": "Las versiones 9.0.0 a 9.3.3 de Concrete CMS se ven afectadas por una vulnerabilidad XSS almacenado en el bloque \"Barra de navegaci\u00f3n superior\". Dado que la salida de la \"Barra de navegaci\u00f3n superior\" no se desinfect\u00f3 lo suficiente, un administrador malintencionado podr\u00eda agregar una carga maliciosa que podr\u00eda ejecutarse cuando los usuarios objetivo visitaran la p\u00e1gina de inicio. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuaci\u00f3n CVSS v4 de 4,6 con el vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . Esto no afecta a las versiones anteriores a la 9.0.0, ya que no tienen el bloque de la barra de navegaci\u00f3n superior. Gracias, Chu Quoc Khanh, por informarnos."}], "lastModified": "2024-09-23T23:00:00.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CFC31A92-D0E7-470F-9241-E416ECB32A97", "versionEndExcluding": "9.3.4", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}