CVE-2023-28474: 
PHP vulnerability analysis and mitigation

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 was identified with a Stored Cross-Site Scripting (XSS) vulnerability on Saved Presets functionality in the search feature. The vulnerability was discovered and disclosed in April 2023, affecting the content management system's search preset functionality (Concrete Advisory).

The vulnerability stems from insufficient sanitization when saving presets on search functionality. The issue was assigned a CVSS v3.1 base score of 3.5 (Low) with the vector string AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N, indicating that it requires high privileges and user interaction to exploit (NVD, Concrete Advisory).

The vulnerability could allow an attacker with high privileges to store and execute malicious JavaScript code through the search preset functionality, potentially affecting users who interact with the compromised presets. The impact is limited due to the high privilege requirement and necessary user interaction (Concrete Advisory).

The vulnerability has been fixed in Concrete CMS version 9.2.0. Users are advised to upgrade their installations to version 9.2.0 or later to address this security issue (Concrete Advisory).

The vulnerability was reported through the responsible disclosure process by security researcher Veshraj Ghimire (HackerOne report #1768494), demonstrating the effectiveness of the project's security reporting mechanisms (Concrete Advisory).