concrete5/core
Opgelost in
8.5.9
9.1.0
CVE-2022-30120 describes a cross-site scripting (XSS) vulnerability discovered in Concrete5 core. This flaw allows an attacker to inject malicious scripts into the application, potentially leading to information disclosure or session hijacking. The vulnerability impacts versions of Concrete5 up to and including 9.0.2, but is primarily exploitable in older web browsers with XSS protection disabled. A fix is available in version 9.1.0.
The primary impact of CVE-2022-30120 is the potential for cross-site scripting (XSS) attacks. An attacker could inject malicious JavaScript code into the Concrete5 dashboard, specifically within the /dashboard/blocks/stacks/view_details/ endpoint. This code could then be executed in the context of a user's browser, allowing the attacker to steal cookies, redirect the user to a malicious website, or deface the website. The vulnerability's exploitation is limited to older browsers lacking modern XSS protection mechanisms, reducing the overall attack surface. However, systems still using such browsers remain at risk. The Concrete CMS Security team has assessed the vulnerability with a CVSS v3.1 score of 3.1, indicating a low severity.
CVE-2022-30120 was publicly disclosed on June 25, 2022. There are currently no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. Due to its limited exploitability (requiring older browsers with disabled XSS protection), the probability of exploitation is considered low.
Organizations and individuals still using older web browsers (e.g., Internet Explorer) with XSS protection disabled are particularly at risk. Shared hosting environments running vulnerable Concrete5 installations are also a concern, as attackers could potentially exploit the vulnerability through other tenants on the same server.
• wordpress / composer / npm:
grep -r "built urls" /var/www/concrete5/dashboard/blocks/stacks/view_details/• generic web:
curl -I https://your-concrete5-site.com/dashboard/blocks/stacks/view_details/ | grep -i "x-xss-protection"• generic web:
Check browser developer console for unexpected JavaScript execution when navigating to /dashboard/blocks/stacks/view_details/.
disclosure
Exploit Status
EPSS
1.25% (79% percentiel)
CVSS-vector
The recommended mitigation for CVE-2022-30120 is to upgrade Concrete5 to version 9.1.0 or later, which includes the necessary sanitation fixes. If upgrading immediately is not feasible, consider restricting access to the /dashboard/blocks/stacks/viewdetails/ endpoint to trusted users only. While a direct workaround is not available, ensuring users are utilizing modern browsers with built-in XSS protection significantly reduces the risk. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the /dashboard/blocks/stacks/viewdetails/ endpoint and verifying that the payload is properly sanitized and not executed.
Actualice Concrete CMS a la versión 8.5.8 o superior, o a la versión 9.1.0 o superior. Esto corrige la vulnerabilidad XSS en navegadores antiguos. La actualización eliminará la posibilidad de que se explote la vulnerabilidad.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2022-30120 is a cross-site scripting (XSS) vulnerability affecting Concrete5 core versions up to 9.0.2, exploitable in older browsers with disabled XSS protection.
If you are running Concrete5 core version 9.0.2 or earlier, and your users are using older browsers with XSS protection disabled, you are potentially affected.
Upgrade Concrete5 core to version 9.1.0 or later to remediate the vulnerability. Restricting access to the vulnerable endpoint is a temporary workaround.
As of now, there are no known public exploits or active campaigns targeting CVE-2022-30120.
Refer to the Concrete5 security advisory for detailed information and updates: https://docs.concretecms.com/news/security/concrete5-security-advisory-xss-in-view-details
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.