Improper Input Validation Affecting concrete5/concrete5 package, versions >=9.0.0, <9.2.5


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.4% (32nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-CONCRETE5CONCRETE5-6241863
  • published12 Feb 2024
  • disclosed9 Feb 2024
  • creditGabor

Introduced: 9 Feb 2024

CVE-2024-1245  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade concrete5/concrete5 to version 9.2.5 or higher.

Overview

concrete5/concrete5 is a concrete5 open source CMS.

Affected versions of this package are vulnerable to Improper Input Validation due to insufficient sanitization of administrator-entered file attributes on the Edit Attributes page. A rogue administrator could inject malicious code into the file tags or description attributes, which would execute when another administrator views the same file for editing.

CVSS Base Scores

version 3.1