CVE-2022-43688

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in packagist/concrete5/concrete5

Identifiers

GHSA-9jc5-9wh5-mc36, CVE-2022-43688

Package Slug

packagist/concrete5/concrete5

Vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Description

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Affected Versions

All versions before 8.5.10, all versions starting from 9.0.0 before 9.1.3

Solution

Upgrade to versions 8.5.10, 9.1.3 or above.

Last Modified

2022-11-22

source