CVE-2024-1245
published 2024-02-09CVE-2024-1245: Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not…
PriorityP421medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.40%
31.8th percentile
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 9.0.0RC1 < 9.2.5 | 9.2.5 |
| concrete_cms | concrete_cms | >= 9.0.0 < 9.2.5 | 9.2.5 |
| concretecms | concrete_cms | >= 9.0.0 < 9.2.5 | 9.2.5 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Concrete CMS vulnerable to stored XSS in file tags and description attributes
ghsa·2024-02-09
CVE-2024-1245 [LOW] CWE-20 Concrete CMS vulnerable to stored XSS in file tags and description attributes
Concrete CMS vulnerable to stored XSS in file tags and description attributes
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator .
OSV
Concrete CMS vulnerable to stored XSS in file tags and description attributes
osv·2024-02-09
CVE-2024-1245 [LOW] Concrete CMS vulnerable to stored XSS in file tags and description attributes
Concrete CMS vulnerable to stored XSS in file tags and description attributes
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator .
Red Hat
kernel: microcode_ctl: From CVEorg collector
vendor_redhat·2025-02-12·CVSS 5.6
CVE-2024-31068 [MEDIUM] CWE-1245 kernel: microcode_ctl: From CVEorg collector
kernel: microcode_ctl: From CVEorg collector
Improper Finite State Machines (FSMs) in Hardware Logic for some Intel(R) Processors may allow privileged user to potentially enable denial of service via local access.
Package: microcode_ctl (Red Hat Enterprise Linux 10) - Affected
Package: microcode_ctl (Red Hat Enterprise Linux 7) - Affected
Package: microcode_ctl (Red Hat Enterprise Linux 9) - Affected
Red Hat
kernel: microcode_ctl: From CVEorg collector
vendor_redhat·2024-11-13·CVSS 5.7
CVE-2024-21853 [MEDIUM] CWE-1245 kernel: microcode_ctl: From CVEorg collector
kernel: microcode_ctl: From CVEorg collector
Improper finite state machines (FSMs) in the hardware logic in some 4th and 5th Generation Intel(R) Xeon(R) Processors may allow an authorized user to potentially enable denial of service via local access.
Package: microcode_ctl (Red Hat Enterprise Linux 10) - Affected
Package: microcode_ctl (Red Hat Enterprise Linux 7) - Affected
Package: microcode_ctl (Red Hat Enterprise Linux 8) - Affected
Package: microcode_ctl (Red Hat Enterprise Linux 9) - Affected
Red Hat
microcode_ctl: Denial of Service
vendor_redhat·2024-09-16·CVSS 5.6
CVE-2024-24968 [MEDIUM] CWE-1245 microcode_ctl: Denial of Service
microcode_ctl: Denial of Service
Improper finite state machines (FSMs) in hardware logic in some Intel(R) Processors may allow an privileged user to potentially enable a denial of service via local access.
A flaw was found in intel Processors. Improper finite state machines (FSMs) in hardware logic in some Intel(R) Processors may allow an privileged user to enable a denial of service via local access.
Package: microcode_ctl (Red Hat Enterprise Linux 10) - Not affected
Package: microcode_ctl (Red Hat Enterprise Linux 6) - Out of support scope
Package: microcode_ctl (Red Hat Enterprise Linux 7) - Out of support scope
Package: microcode_ctl (Red Hat Enterprise Linux 8) - Affected
Package: microcode_ctl (Red Hat Enterprise Linux 9) - Affected
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-noteshttps://www.concretecms.org/about/project-news/security/2024-02-04-security-advisoryhttps://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-noteshttps://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory
2024-02-09
Published