CVE-2024-3179

{"id": "CVE-2024-3179", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 0.5}]}, "published": "2024-04-03T19:15:44.387", "references": [{"url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/928-release-notes?_gl=1*1bcxp5s*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY2ODEuMC4wLjA.", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}, {"url": "https://documentation.concretecms.org/developers/introduction/version-history/8516-release-notes?_gl=1*1oa3zn1*_ga*MTc1NDc0Njk2Mi4xNzA2ODI4MDU1*_ga_HFB3HPNNLS*MTcxMjE2NjYyNi4xMy4xLjE3MTIxNjY3MDcuMC4wLjA.", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "ff5b8ace-8b95-4078-9743-eac1ca5451de", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to\u00a0Stored XSS in the Custom Class page editing.\u00a0Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data.\u00a0The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks\u00a0Alexey Solovyev for reporting.\u00a0\n\n"}, {"lang": "es", "value": "La versi\u00f3n 9 de Concrete CMS anterior a 9.2.8 y las versiones anteriores a 8.5.16 son vulnerables a XSS Almacenado en la edici\u00f3n de la p\u00e1gina de clase personalizada. Antes de la soluci\u00f3n, un administrador deshonesto pod\u00eda insertar c\u00f3digo malicioso en el campo de clase personalizado debido a una validaci\u00f3n insuficiente de los datos proporcionados por el administrador. El equipo de seguridad de Concrete CMS le dio a esta vulnerabilidad una puntuaci\u00f3n CVSS v3.1 de 3.1 con un vector de AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A: L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. Gracias Alexey Solovyev por informar."}], "lastModified": "2024-04-04T12:48:41.700", "sourceIdentifier": "ff5b8ace-8b95-4078-9743-eac1ca5451de"}