Concrete CMS Address Attribute Cross-Site Scripting and Cross-Site Request Forgery Vulnerability

A vulnerability allowing Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) has been identified in the Address attribute of Concrete CMS. This issue affects versions 9 prior to 9.4.0RC2 and versions of Concrete CMS 8 prior to 8.5.20. The vulnerability arises because addresses are not properly sanitized when a country is not specified, allowing for potential XSS payloads to be injected. Attackers must have been granted permission by a site administrator to use the address attribute. While the vulnerability could be exploited to modify limited data and potentially disrupt the dashboard's availability, such actions would be constrained by the attacker's access level and existing site controls.

Impact

Exploitation of this vulnerability could lead to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks, allowing for the injection of malicious scripts and the execution of unauthorized actions on behalf of the user.

Remediation

Users can update to Concrete CMS versions 9.4.0RC2 or 8.5.20 to address this vulnerability. However, it's important to note that the update will only sanitize new data uploaded after the update. A database search is recommended to identify and remove any existing unsanitized entries that may have been exploited before the update.