CVE-2025-0660

Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes	Release Notes
https://github.com/concretecms/bedrock/pull/370	Issue Tracking
https://github.com/concretecms/concretecms/pull/12454	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

History

04 Sep 2025, 15:54

Type	Values Removed	Values Added
CPE		cpe:2.3:a:concretecms:concrete_cms::::::::
Summary		(es) Las versiones 9.0.0 a 9.3.9 de Concrete CMS se ven afectadas por un XSS almacenado en la función de carpeta. La funcionalidad "Agregar carpeta" carece de depuración de entrada, lo que permite que un administrador malintencionado inyecte payloads XSS como nombres de carpeta. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuación CVSS 4.0 de 4.8 con el vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Las versiones anteriores a la 9 no se ven afectadas. Gracias, Alfin Joseph, por informar.
References	~~() https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes -~~	() https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes - Release Notes
References	~~() https://github.com/concretecms/bedrock/pull/370 -~~	() https://github.com/concretecms/bedrock/pull/370 - Issue Tracking
References	~~() https://github.com/concretecms/concretecms/pull/12454 -~~	() https://github.com/concretecms/concretecms/pull/12454 - Issue Tracking, Patch
CWE		CWE-79
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
First Time		Concretecms Concretecms concrete Cms

10 Mar 2025, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-10 21:15

Updated : 2025-09-04 15:54

NVD link : CVE-2025-0660

Mitre link : CVE-2025-0660

CVE.ORG link : CVE-2025-0660

JSON object : View

Products Affected

concretecms

concrete_cms

CWE

CWE-20

Improper Input Validation

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10