CVE-2024-1246
published 2024-02-09CVE-2024-1246: Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided…
PriorityP420medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.45%
36.1th percentile
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| concrete5 | concrete5 | >= 9.0.0RC1 < 9.2.5 | 9.2.5 |
| concrete_cms | concrete_cms | >= 9.0.0 < 9.2.5 | 9.2.5 |
| concretecms | concrete_cms | >= 9.0.0 < 9.2.5 | 9.2.5 |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
ghsa·2024-02-09
CVE-2024-1246 [LOW] CWE-20 Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . This does not affect Concrete versions prior to version 9.
OSV
Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
osv·2024-02-09
CVE-2024-1246 [LOW] Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . This does not affect Concrete versions prior to version 9.
Red Hat
kernel: nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
vendor_redhat·2024-04-03·CVSS 5.5
CVE-2024-26696 [MEDIUM] CWE-1246 kernel: nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
kernel: nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
In the Linux kernel, the following vulnerability has been resolved:
nilfs2: fix hang in nilfs_lookup_dirty_data_buffers()
Syzbot reported a hang issue in migrate_pages_batch() called by mbind()
and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2.
While migrate_pages_batch() locks a folio and waits for the writeback to
complete, the log writer thread that should bring the writeback to
completion picks up the folio being written back in
nilfs_lookup_dirty_data_buffers() that it calls for subsequent log
creation and was trying to lock the folio. Thus causing a deadlock.
In the first place, it is unexpected that folios/pages in the middle of
writeback will be updated and become dirty. Nilfs2 adds a checksum to
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-noteshttps://www.concretecms.org/about/project-news/security/2024-02-04-security-advisoryhttps://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-noteshttps://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory
2024-02-09
Published