CVE-2024-1246 Vulnerability Details

  /     /     /  

CVE-2024-1246 Metadata Quick Info

CVE Published: 09/02/2024 | CVE Updated: 01/08/2024 | CVE Year: 2024
Source: ConcreteCMS | Vendor: Concrete CMS | Product: Concrete CMS
Status : PUBLISHED

---

CVE-2024-1246 Description

Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9.

Metrics

CVSS Version: 3.1 | Base Score: 2 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* HIGH
    Privileges Required (PR)* HIGH
    User Interaction (UI)* REQUIRED
    Scope (S)* UNCHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* LOW
    Integrity Impact (I)* NONE
    Availability Impact (A)* NONE

Weakness Enumeration (CWE)

CWE-ID: CWE-20
CWE Name: CWE-20 Improper Input Validation
Source: Concrete CMS

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID: CAPEC-63
CAPEC Description: CAPEC-63 Cross-Site Scripting (XSS)


Source: NVD (National Vulnerability Database).