{ "schema_version": "1.4.0", "id": "GHSA-pvmx-mjmh-jfcx", "modified": "2025-03-10T22:26:16Z", "published": "2025-03-10T21:31:12Z", "aliases": [ "CVE-2025-0660" ], "summary": "Concrete CMS affected by a stored XSS in Folder Function.The \"Add Folder\" functionality", "details": "Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The \"Add Folder\" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names.  The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.", "severity": [ { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N" } ], "affected": [ { "package": { "ecosystem": "Packagist", "name": "concrete5/concrete5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "9.4.0RC1" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0660" }, { "type": "WEB", "url": "https://github.com/concretecms/bedrock/pull/370" }, { "type": "WEB", "url": "https://github.com/concretecms/concretecms/pull/12454" }, { "type": "WEB", "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes" }, { "type": "PACKAGE", "url": "https://github.com/concretecms/concretecms" } ], "database_specific": { "cwe_ids": [ "CWE-20", "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-10T22:26:16Z", "nvd_published_at": "2025-03-10T21:15:40Z" } }