CVE-2025-8571: Concrete CMS vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page
(updated )
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions.
References
- documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes
- documentation.concretecms.org/developers/introduction/version-history/8521-release-notes
- github.com/advisories/GHSA-4pcg-pjp5-3mc6
- github.com/concretecms/concretecms
- github.com/concretecms/concretecms/commit/4b39dcc17c309dc82eb8398e8cdb146942f62f92
- github.com/concretecms/concretecms/commit/f7630b467d3a234d3d333ca117046a500e7ee2b6
- nvd.nist.gov/vuln/detail/CVE-2025-8571
- www.concretecms.org/download
Code Behaviors & Features
Detect and mitigate CVE-2025-8571 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →