Platform
php
Component
concretecms
Fixed in
9.2.5
CVE-2024-1247 is a Remote Code Execution (RCE) vulnerability affecting Picklescan versions up to 0.0.9. The vulnerability arises from the library's use of _operator.methodcaller within the reduce method when processing pickle files, allowing attackers to execute arbitrary code. This can lead to complete system compromise if the pickle file is not properly validated. A fix is available in version 0.0.34.
CVE-2024-1247 affects Concrete CMS versions prior to 9.2.5, presenting a stored Cross-Site Scripting (XSS) vulnerability. This flaw resides in the 'Role Name' field during user role administration. A malicious administrator could inject malicious code into this field, which would execute when other users visit affected pages. The severity of this issue is moderate, as it requires administrator privileges to exploit, but the impact could be the execution of malicious scripts in the browser of other users, potentially compromising the confidentiality and integrity of information. It is crucial to update to version 9.2.5 to mitigate this risk. Versions below 9 are not affected.
The vulnerability is exploited by injecting malicious JavaScript code into the 'Role Name' field in role administration. An administrator with access to the administration panel can modify this field and save the role with the malicious code. When a user (or even the administrator who created it) visits a page where the role name is displayed, the JavaScript code executes in the user's browser context, allowing the attacker to perform actions such as stealing cookies, redirecting to malicious websites, or modifying the page content. The complexity of exploitation is moderate, as it requires administrative access, but the impact can be significant.
Exploit Status
EPSS
8.20% (92% percentile)
CISA SSVC
CVSS Vector
The solution for CVE-2024-1247 is straightforward: update Concrete CMS to version 9.2.5 or higher. This update includes the necessary fixes to correctly validate data entered in the 'Role Name' field, preventing the injection of malicious code. It is recommended to apply this update as soon as possible, especially in production environments. Additionally, review existing user roles to verify if any role names may have been compromised. Regularly applying security patches is a fundamental practice for maintaining the security of any CMS system.
Update Concrete CMS to version 9.2.5 or higher. This version corrects the stored XSS vulnerability in the 'Role Name' field. The update can be performed through the Concrete CMS administration panel or by downloading the latest version from the official website.
Vulnerability analysis and critical alerts directly to your inbox.
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Stored (or persistent) XSS means that the malicious script is saved on the server (e.g., in a database) and executed every time a user accesses the affected page.
If you are using a version of Concrete CMS prior to 9.2.5, your site is vulnerable. Perform the update as soon as possible.
If you suspect your site has been compromised, immediately change the passwords of all administrators and perform a comprehensive security audit.
In addition to updating, implement robust security policies, educate administrators about best security practices, and use security tools to detect and prevent attacks.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.