CVE-2022-43692 Reflected XSS can be exploited by a user if the targeted administrator is using an older browser that lacks XSS protection.

If you are running a version before 8.5.10 and are using a browser that supports XSS protection you must update to a version that has XSS protection enabled.

Concrete CMS is also vulnerable to CSRF - user can cause an administrator to trigger CSRF with a url if the targeted administrator is using an old browser that lacks CSRF protection. Remediate by updating to Concrete CMS 9.1.3+. If you are running a version before 8.5.10 and are using a browser that supports CSRF protection you must update to a version that has CSRF protection enabled.

Note that the above list references versions of Concrete CMS. Depending on your setup, you may be running an older version of Concrete CMS. If you are running an older version than 9.1.3 or 8.5.10 you must update to one of those versions or higher.

Concrete CMS - XSS Protection Bypass

Concrete CMS is vulnerable to XSS attacks. In particular, Concrete CMS is vulnerable to CSRF (cross-site request forgery) attacks. Such an attack can be used to bypass the web application's protection against XSS. There is a requirement of Concrete CMS that a browser must support XSS protection in order for a user to execute an XSS attack. If the browser does not support XSS protection, then the user will not be able to perform an attack and will just see an error message when attempting to change their username or password. The version 8.5.10 of Concrete CMS includes a vulnerability that allows attackers who are using browsers without XSS protection to bypass the web application's protection against CSRF. This vulnerability affects all versions of 8.5.x before 8.5.10 and all versions of 9 before 9.1 which have no security fix available at this time.

Concrete CMS - Version 8.5.10

Concrete CMS has fixed a critical vulnerability in the 8.5.9 and 8.5.10 versions that may allow an attacker to take control of the CMS and its associated domain by exploiting a cross-site scripting (XSS) issue. If you are running an older version than 8.5.10, update to the latest version as soon as possible for your site's security and protection.

Installation of Concrete CMS

You must install Concrete CMS 9.1.3+ in order to protect against CSRF.
Remediate by installing Concrete CMS 9.1.3+.

Timeline

Published on: 11/14/2022 19:15:00 UTC
Last modified on: 11/16/2022 23:13:00 UTC

References

• https://github.com/concretecms/concretecms/releases/8.5.10
• https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes
• https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes
• https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31
• https://github.com/concretecms/concretecms/releases/9.1.3
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43692