CVE-2023-44764: 
PHP vulnerability analysis and mitigation

A Cross Site Scripting (XSS) vulnerability was identified in Concrete CMS versions before 9.2.3, tracked as CVE-2023-44764. The vulnerability exists in the Name parameter during installation (also known as Site of Installation or Settings), allowing attackers to execute arbitrary code via crafted scripts (NVD, Concrete Docs).

The vulnerability is a stored XSS issue that occurs during the installation process or in the Settings section. An attacker can inject malicious JavaScript code through the SITE parameter, which is then stored and executed when users access the web page. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

When successfully exploited, the vulnerability allows attackers to execute arbitrary JavaScript code in the context of users' browsers who visit the affected web pages. This could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users (GitHub POC).

The vulnerability has been fixed in Concrete CMS version 9.2.3. Users are advised to upgrade to this version or later to address the security issue. The fix was implemented in commit 11764 (Concrete Docs).