CVE-2023-28820: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

April 28, 2023 (updated May 1, 2023)

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

References

github.com/advisories/GHSA-fgxj-g7x3-85cq
github.com/concretecms/concretecms/releases
nvd.nist.gov/vuln/detail/CVE-2023-28820
www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20

Code Behaviors & Features

Detect and mitigate CVE-2023-28820 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →