CVE-2023-44766: 
PHP vulnerability analysis and mitigation

A Cross Site Scripting (XSS) vulnerability was reported in Concrete CMS v.9.2.1 that allegedly allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. This vulnerability was assigned CVE-2023-44766 and has been disputed by the vendor. The vendor states that this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature (NVD, Concrete Advisory).

The vulnerability was initially reported with a CVSS v3.1 Base Score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue involves the SEO - Header Extra Content functionality in the Page Settings section, which allows JavaScript code injection. However, this functionality is intentionally designed to allow administrators to add JavaScript to all pages as a core feature necessary for website functionality (NVD).

The reported impact is limited as the functionality is only accessible to administrators with appropriate permissions. The vendor maintains that this is not a vulnerability but rather a core feature that website owners need, with robust advanced permissions controlling access to these fields (Concrete Advisory).

The vendor states that no mitigation is necessary as this is intended functionality. They recommend using their robust advanced permissions system to control access to these fields in the dashboard, allowing website owners to manage who can add JavaScript to pages (Concrete Advisory).

The vendor has formally rejected this CVE and is reaching out to MITRE to have it recalled. They have also announced plans to become a CVE Numbering Authority (CNA) to better manage vulnerability disclosures for their product (Concrete Advisory).