Improper Input Validation Affecting concrete5/concrete5 package, versions >=9.0.0, <9.2.7


Severity

Recommended
0.0
low
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.31% (23rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-CONCRETE5CONCRETE5-6411749
  • published7 Mar 2024
  • disclosed5 Mar 2024
  • creditLuca Fuda

Introduced: 5 Mar 2024

CVE-2024-2179  (opens in a new tab)
CWE-20  (opens in a new tab)

How to fix?

Upgrade concrete5/concrete5 to version 9.2.7 or higher.

Overview

concrete5/concrete5 is a concrete5 open source CMS.

Affected versions of this package are vulnerable to Improper Input Validation due to insufficient validation of administrator provided data for the Name field of a Group type. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page.

References

CVSS Base Scores

version 3.1