Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability
翻译中…平台
php
组件
concrete5/concrete5
修复版本
9.4.8
9.4.8
CVE-2026-3241 is a critical Remote Code Execution (RCE) vulnerability found in the openclaw component. This flaw allows non-admin operators to self-claim the operator.admin scope, bypassing pairing and potentially gaining full control of the system. The vulnerability impacts versions of openclaw up to and including 2026.3.24, and a fix is available in version 2026.3.25.
影响与攻击场景翻译中…
CVE-2026-3241 affects Concrete CMS versions prior to 9.4.8, presenting a Cross-Site Scripting (XSS) vulnerability within the 'Legacy Form' block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). This payload is then executed in the browser of any user who views the page containing the form. The potential impact includes cookie theft, redirection to malicious websites, modification of page content, or the execution of arbitrary code in the context of the affected user. The vulnerability's severity is rated CVSS 4.8.
利用背景翻译中…
The vulnerability is exploited through manipulation of the options in a 'Checkbox List', 'Radio Buttons', or 'Select Box' question within a 'Legacy Form'. An attacker with form editing privileges can inject malicious JavaScript code into these options. When a user visits the page containing the form, their browser executes the injected JavaScript code, allowing the attacker to perform malicious actions. The persistent nature of the payload means the vulnerability remains active until the fix is applied.
威胁情报
漏洞利用状态
EPSS
0.02% (4% 百分位)
CISA SSVC
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 高 — 需要管理员或特权账户。
- User Interaction
- 需要 — 受害者必须打开文件、点击链接或访问特制页面。
- Scope
- 已改变 — 攻击可以超出脆弱组件,影响其他系统。
- Confidentiality
- 低 — 可访问部分数据。
- Integrity
- 低 — 攻击者可修改部分数据,影响有限。
- Availability
- 无 — 无可用性影响。
受影响的软件
软件包信息
- 最后更新
- 9.5.1最近
弱点分类 (CWE)
时间线
- 已保留
- 发布日期
- EPSS 更新日期
缓解措施和替代方案翻译中…
The solution to mitigate CVE-2026-3241 is to update Concrete CMS to version 9.4.8 or higher. This update corrects the XSS vulnerability by properly validating and escaping user input within the 'Legacy Form' block. It is highly recommended to apply the update as soon as possible to protect your website from potential attacks. Additionally, review user permissions to ensure only authorized users have access to create and edit forms. Implementing a robust password policy and enabling two-factor authentication can help prevent unauthorized access to Concrete CMS administration.
修复方法翻译中…
Actualice Concrete CMS a la versión 9.4.8 o superior. Esta versión contiene la corrección para la vulnerabilidad XSS almacenada en el bloque "Legacy Form". La actualización eliminará la posibilidad de inyectar código JavaScript malicioso a través de las opciones de preguntas de opción múltiple.
CVE 安全通讯
漏洞分析和关键警报直接发送到您的邮箱。
常见问题翻译中…
What is CVE-2026-3241 — Cross-Site Scripting (XSS) in concrete5/concrete5?
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Am I affected by CVE-2026-3241 in concrete5/concrete5?
If you are using a version of Concrete CMS prior to 9.4.8 and have the 'Legacy Form' block enabled, your site is vulnerable. Apply the update as soon as possible.
How do I fix CVE-2026-3241 in concrete5/concrete5?
If you suspect your site has been compromised, immediately change all user passwords, review site logs for suspicious activity, and consider restoring from a clean backup.
Is CVE-2026-3241 being actively exploited?
There is no viable workaround without updating to version 9.4.8 or higher. Disabling the 'Legacy Form' block is a temporary option, but it will limit your site's functionality.
Where can I find the official concrete5/concrete5 advisory for CVE-2026-3241?
You can find more information about the update to version 9.4.8 on the official Concrete CMS website: [https://www.concretecms.com/](https://www.concretecms.com/)