Vulnerability DatabaseCVE-2022-43688

CVE-2022-43688:
PHP vulnerability analysis and mitigation

Overview

CVE-2022-43688 affects Concrete CMS (formerly concrete5) versions below 8.5.10 and between 9.0.0 and 9.1.2. The vulnerability is a Stored Cross-Site Scripting (XSS) issue where the Microsoft application tile color is not properly sanitized (NVD, CMS Advisory).

Technical details

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue (CWE-79) with a CVSS v3.1 Base Score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability exists because the Microsoft tile icon is not properly sanitized, allowing for stored XSS attacks (NVD, CMS Advisory).

Impact

The vulnerability allows attackers to potentially execute malicious scripts through the Microsoft tile icon, leading to low confidentiality and integrity impacts. The attack requires high privileges and user interaction to be successful (NVD).

Mitigation and workarounds

The vulnerability has been fixed in Concrete CMS versions 9.1.3+ and 8.5.10+. Users should upgrade to these or newer versions to remediate the issue (Release Notes, CMS Advisory).

Community reactions

The vulnerability was discovered and reported by Bogdan and Adrian Tiron from FORTBRIDGE during their 2022 annual penetration testing and vulnerability assessment of Concrete CMS (CMS Advisory).