Cyber Resilience

CVE-2024-1247

Low

Published: 09 February 2024

Published
09 February 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 2.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0819 92.4th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1247 is a low-severity Improper Input Validation (CWE-20) vulnerability in Concretecms Concrete Cms. Its CVSS base score is 2.0 (Low).

Operationally, ranked in the top 7.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Concrete CMS version 9 before 9.2.5 contains a stored cross-site scripting vulnerability in the Role Name field. The flaw stems from insufficient validation of data supplied by administrators when creating or editing roles, allowing HTML or script content to be persisted and later rendered for other users. Versions prior to 9 are unaffected because they lack the group types feature that introduced the vulnerable field.

A rogue administrator account can supply malicious markup in the Role Name field. When another user later views pages that display role information, the injected code may execute in that user's browser context, although the CVSS vector limits impact to low-integrity effects under high attack complexity and multiple preconditions.

The Concrete CMS security advisory and 9.2.5 release notes direct administrators to upgrade immediately to version 9.2.5 or later, which contains the fix for the input-handling issue. The project also published the advisory on 4 February 2024 alongside the corresponding version-history documentation.

EPSS scores for the CVE have remained low, with a current value of 0.0819 after a modest peak of 0.1018.

EU & UK References

Vulnerability details

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field…

more

which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

concretecms
concrete cms
9.0.0 — 9.2.5

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-20 CWE-79

Directly implements checks on information inputs to reject invalid data before processing.

addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

addresses: CWE-20

Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.

addresses: CWE-20

Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.

addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

addresses: CWE-20

Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.

References