CVE Details
Basic Information
| Title | Concrete CMS 9 through 9.4.2 is vulnerable to Stored XSS from Home Folder on Members Dashboard page |
|---|---|
| Type | cve |
| Published | 2025-08-05T22:36:48.712Z |
| Modified | 2025-08-05T22:36:48.712Z |
Product Information
| Vendor | Concrete CMS |
|---|---|
| Product | Concrete CMS |
| Version | 9.0.0 |
CVSS Information
| Base Score | 2.0 (LOW) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
AI Analysis
| AI Description | Concrete CMS versions 9 through 9.4.2 are vulnerable to a stored cross-site scripting (XSS) attack via the Home Folder on the Members Dashboard page. This could allow a malicious admin to create a folder containing XSS, potentially affecting users upon login. |
|---|---|
| AI Severity | Medium |
| AI Vendor | Concrete CMS |
| AI Product | Concrete CMS |
| AI Version | 9.0.0, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.4.1, 9.4.2 |
Affected Products
- Concrete CMS Concrete CMS 9.0.0
Additional Information
| CWE List | CWE-20 |
|---|---|
| Source | ConcreteCMS |
Description
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks sealldev for reporting via HackerOne.