CVE-2024-1247

CVSS 3.1 Score 4.8 of 10 (medium)

Details

Published Feb 9, 2024
Updated: Feb 15, 2024
CWE ID 79
CWE ID 20

Summary

CVE-2024-1247 is a stored XSS vulnerability affecting Concrete CMS version 9 before 9.2.5. Malicious code can be injected into the Role Name field due to insufficient validation of administrator-provided data, posing a high risk for users who visit affected pages. The vulnerability's CVSS v3 base score is 2, with an attack vector of Adversary (NON-LOCAL) / Attack Complexity: High / Privileges Required: High / User Interaction: Required / Scope: Unchanged / Confidentiality: Low / Integrity: Low / Availability: None. Concrete CMS Security team advises users to upgrade to version 9.2.5 or newer to mitigate this risk. Versions below 9 are not affected as they do not include group types.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share