CVE-2022-43967: 
PHP vulnerability analysis and mitigation

CVE-2022-43967 affects Concrete CMS (formerly concrete5) versions below 8.5.10 and between 9.0.0 and 9.1.2. The vulnerability is a Reflected Cross-Site Scripting (XSS) issue in the multilingual report feature due to un-sanitized output. The vulnerability was discovered and reported by Bogdan and Adrian Tiron from FORTBRIDGE (Vendor Advisory).

The vulnerability has a CVSS v3.1 base score of 5.9 MEDIUM with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N. The issue stems from improper output sanitization in the multilingual dashboard report functionality, which could allow reflected XSS attacks (Vendor Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser session when they access the affected multilingual report page. This could potentially lead to high confidentiality impact and low integrity impact (Vendor Advisory).

Users should upgrade to Concrete CMS version 8.5.10+ or 9.1.3+ which contain fixes for this vulnerability. The fix involves properly sanitizing output in the multilingual dashboard report (Release Notes, GitHub Release).