CVE-2024-4350

Summary

CVE-2024-4350 is a stored Cross-Site Scripting (XSS) vulnerability affecting Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18. Malicious code can be injected into fields due to insufficient input validation in the RSS Displayer, potentially allowing a rogue administrator to manipulate user responses. The security team assigned a CVSS v3.1 score of 3.0 and a CVSS v4 score of 2.1, both with a high level of privilege required to exploit this vulnerability (PR:H), and a low impact on confidentiality (C:L) or integrity (I:N). Users are advised to update their Concrete CMS installations to mitigate this risk.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.