Primary

Context

Concrete CMS Reflected Cross-Site Scripting Vulnerability in Conversation Messages Dashboard Page

Vulnerability

Patched

A reflected cross-site scripting vulnerability has been identified in Concrete CMS versions 9.0.0 through 9.4.2 and versions prior to 8.5.21. The issue occurs on the Conversation Messages Dashboard Page, where unsanitized input could be exploited to steal session cookies or tokens, deface web content, redirect users to malicious sites, and, if the victim is an admin, execute unauthorized actions.

Impact

Exploitation of this vulnerability could lead to reflected cross-site scripting, allowing attackers to inject malicious scripts that could be executed in the context of the user's browser.

Remediation

Users can upgrade to Concrete CMS versions 9.4.3 or 8.5.21, both of which include the necessary patch. Instructions for downloading Concrete CMS are available on the official website.

Added: Aug 5, 2025, 11:17 PM

Updated: Aug 5, 2025, 11:17 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

6.0

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

6.0

exploitability

5.2

remediation

7.7

relevance

0.3

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Concrete CMS Reflected Cross-Site Scripting Vulnerability in Conversation Messages Dashboard Page

Vulnerability

Impact

Remediation

Affected Products

Concrete CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating