CVE-2025-8571

Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.7 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes	Release Notes
https://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes	Release Notes
https://www.concretecms.org/download	Product

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:concretecms:concrete_cms::::::::
	cpe:2.3:a:concretecms:concrete_cms::::::::

History

04 Sep 2025, 15:54

Type	Values Removed	Values Added
References	~~() https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes -~~	() https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes - Release Notes
References	~~() https://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes -~~	() https://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes - Release Notes
References	~~() https://www.concretecms.org/download -~~	() https://www.concretecms.org/download - Product
CPE		cpe:2.3:a:concretecms:concrete_cms::::::::
CWE		CWE-79
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
First Time		Concretecms Concretecms concrete Cms

06 Aug 2025, 20:23

Type	Values Removed	Values Added
Summary		(es) Concrete CMS 9 a 9.4.2 y versiones anteriores a la 8.5.21 son vulnerables a ataques de Cross-Site Scripting (XSS) reflejado en la página del panel de mensajes de conversación. La entrada no depurada podría provocar el robo de cookies o tokens de sesión, la desfiguración del contenido web, la redirección a sitios maliciosos y (si la víctima es administrador), la ejecución de acciones no autorizadas. El equipo de seguridad de Concrete CMS otorgó a esta vulnerabilidad una puntuación de 4.8 en CVSS v.4.0 con el vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Gracias a Fortbridge (https://fortbridge.co.uk/) por realizar una prueba de penetración y una evaluación de vulnerabilidades en Concrete CMS e informar de este problema.

05 Aug 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-05 23:15

Updated : 2025-09-04 15:54

NVD link : CVE-2025-8571

Mitre link : CVE-2025-8571

CVE.ORG link : CVE-2025-8571

JSON object : View

Products Affected

concretecms

concrete_cms

CWE

CWE-20

Improper Input Validation

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

4.8 /10