CVE-2022-43695 : Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

Published 2022-11-14 23:15:13

Updated 2022-11-17 04:59:23

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Exploit prediction scoring system (EPSS) score for CVE-2022-43695

Probability of exploitation activity in the next 30 days: 0.11%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 41 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2022-43695

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.8	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N	1.7	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: Required Scope: Changed Confidentiality: Low Integrity: Low Availability: None

CWE ids for CVE-2022-43695

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2022-43695

https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes

9.1.3 Release Notes :: Concrete CMS
Release Notes;Vendor Advisory

CVEs referencing this url
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

Concrete CMS Security Advisory 2022-10-31
Vendor Advisory

CVEs referencing this url
https://github.com/concretecms/concretecms/releases/9.1.3

Release 9.1.3 · concretecms/concretecms · GitHub
Release Notes;Vendor Advisory

CVEs referencing this url
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

8.5.10-12 Release Notes :: Concrete CMS
Release Notes;Vendor Advisory

CVEs referencing this url
https://github.com/concretecms/concretecms/releases/8.5.10

Release 8.5.10 · concretecms/concretecms · GitHub
Release Notes;Vendor Advisory

CVEs referencing this url

Products affected by CVE-2022-43695

Concretecms » Concrete Cms
Versions before (<) 8.5.10
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Matching versions
Concretecms » Concrete Cms
Versions from including (>=) 9.0.0 and up to, including, (<=) 9.1.2
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2022-43695

Exploit prediction scoring system (EPSS) score for CVE-2022-43695

CVSS scores for CVE-2022-43695

CWE ids for CVE-2022-43695

References for CVE-2022-43695

Products affected by CVE-2022-43695