📄 Concrete CMS 9.4.3 Cross Site Scripting_PACKETSTORM:209109

Description

Concrete................................................

Basic Information

ID PACKETSTORM:209109

Published Sep 2, 2025 at 00:00

Affected Product

Affected Versions # Exploit Title: Concrete CMS version 9.4.3 - Stored XSS
# Date: 2/09/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.concretecms.org/
# Software Link:
https://www.concretecms.org/download_file/8e11ad24-cc1e-4880-8553-7c18ede22c50/2658
# Version: 9.4.3
# Tested on: Windows XP

'''
Description:
A stored XSS vulnerability in the Concrete CMS admin panel allows
administrators to inject malicious scripts into the site's tracking codes,
which then execute for every site visitor.

'''

Reproduction Steps:
1. Login to Concrete CMS dashboard with administrator credentials
2. Navigate to: Dashboard → System & Settings → SEO & Statistics → Tracking
Codes
3. Locate the "Footer Tracking Codes" text input field
4. Insert malicious JavaScript payload: <script>alert('XSS')</script>
5. Save the configuration changes
6. Visit any frontend page of the website

Observe JavaScript alert execution on page load

{
    "lastseen": "2025-09-03T18:07:49",
    "description": "Concrete................................................",
    "published": "2025-09-02T00:00:00",
    "modified": "2025-09-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Concrete CMS 9.4.3 Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:209109",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "# Exploit Title:  Concrete CMS version 9.4.3 - Stored XSS\n    # Date: 2/09/2025\n    # Exploit Author: Chokri Hammedi\n    # Vendor Homepage: https://www.concretecms.org/\n    # Software Link:\n    https://www.concretecms.org/download_file/8e11ad24-cc1e-4880-8553-7c18ede22c50/2658\n    # Version: 9.4.3\n    # Tested on: Windows XP\n    \n    \n    '''\n    Description:\n    A stored XSS vulnerability in the Concrete CMS admin panel allows\n    administrators to inject malicious scripts into the site's tracking codes,\n    which then execute for every site visitor.\n    \n    '''\n    \n    \n    Reproduction Steps:\n    1. Login to Concrete CMS dashboard with administrator credentials\n    2. Navigate to: Dashboard \u2192 System & Settings \u2192 SEO & Statistics \u2192 Tracking\n    Codes\n    3. Locate the \"Footer Tracking Codes\" text input field\n    4. Insert malicious JavaScript payload: <script>alert('XSS')</script>\n    5. Save the configuration changes\n    6. Visit any frontend page of the website\n    \n    Observe JavaScript alert execution on page load",
    "sourceHref": "https://packetstorm.news/download/209109",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/209109/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply