CVE-2025-2967: ConcreteCMS Cross-Site Scripting (XSS) via HTML Block Text Field

March 31, 2025

A vulnerability was found in ConcreteCMS up to 9.3.9. It has been classified as problematic. This affects the function Save of the component HTML Block Handler. The manipulation of the argument content leads to HTML injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

github.com/advisories/GHSA-xfqf-5rhg-5c73
github.com/concretecms/concretecms
github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc5.md
nvd.nist.gov/vuln/detail/CVE-2025-2967
vuldb.com/?ctiid.302019
vuldb.com/?id.302019
vuldb.com/?submit.522417

Code Behaviors & Features

Detect and mitigate CVE-2025-2967 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →