CVE-2023-44761: 
PHP vulnerability analysis and mitigation

Multiple Cross Site Scripting (XSS) vulnerabilities were discovered in Concrete CMS versions up to 8.5.13 and 9.0.0 through 9.2.1. The vulnerability allows a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects (NVD, Concrete CMS).

The vulnerability exists in the sanitization of entries in the Forms of 'Data Objects' which allows injecting JavaScript code that will be executed when users access the web page. The issue specifically affects the form fields within Data Objects, where attackers can inject malicious payloads through the 'Custom Label' field and other form fields (GitHub POC). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 MEDIUM with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary JavaScript code in users' browsers when they access affected web pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (GitHub POC).

The vulnerability has been fixed in Concrete CMS version 9.2.2 and version 8.5.13. Users are advised to upgrade to these or later versions to address the security issue (Concrete CMS).