{ "schema_version": "1.4.0", "id": "GHSA-x577-gcc9-9xjj", "modified": "2024-12-16T21:34:44Z", "published": "2024-02-29T03:33:14Z", "aliases": [ "CVE-2023-48650" ], "summary": "Concrete CMS Stored XSS in Layout Preset Name", "details": "Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "Packagist", "name": "concrete5/concrete5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "8.5.14" } ] } ] }, { "package": { "ecosystem": "Packagist", "name": "concrete5/concrete5" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.2.3" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48650" }, { "type": "WEB", "url": "https://github.com/concretecms/concretecms/commit/077755e6bbbc1c67b7508add9e3d207e8d8909a0" }, { "type": "WEB", "url": "https://github.com/concretecms/concretecms/commit/5b93470bcccf271810d3a0b190368ce6a9d6c84b" }, { "type": "WEB", "url": "https://documentation.concretecms.org/developers/introduction/version-history/923-release-notes" }, { "type": "PACKAGE", "url": "https://github.com/concretecms/concretecms" }, { "type": "WEB", "url": "https://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-02-29T20:09:58Z", "nvd_published_at": "2024-02-29T01:41:34Z" } }