CVE-2024-7394

Summary

CVE-2024-7394 is a stored Cross-Site Scripting (XSS) vulnerability affecting Concrete CMS versions 9 through 9.3.2 and below 8.5.18. malicious code injection is possible through the getAttributeSetName() function, which puts users at risk. An unauthorized administrator can exploit this vulnerability. The Concrete CMS team has assigned a CVSS v3.1 score of 2 and a CVSS v4.0 score of 1.8 to this issue. Both versions indicate a high level of privilege required to exploit the vulnerability (PR:H) and a user interface vulnerability (UI:A). However, the attack vector is network-based (AV:N), and the impact is limited to user data loss (C:L) and no information leakage or denial-of-service (I:N/A:N).

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.