CVE-2023-48649: 
PHP vulnerability analysis and mitigation

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS (Cross-Site Scripting) on the Admin page via an uploaded file name. This vulnerability was discovered and disclosed in November 2023 (Concrete Blog, NVD).

The vulnerability stems from insufficient sanitization of uploaded file names in the admin interface. When files are uploaded, the file names are not properly sanitized before being rendered in the admin interface, allowing for potential execution of malicious JavaScript code. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) by NVD, while MITRE assigned it a score of 3.5 LOW (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of the admin page through specially crafted file names. This could potentially lead to data theft, session hijacking, or other malicious actions within the administrative interface (Concrete Blog).

The vulnerability has been fixed in Concrete CMS versions 8.5.13 and 9.2.2. Users are advised to upgrade to these versions or later. The fix includes proper sanitization of uploaded file names to prevent XSS attacks (Release Notes).

The vulnerability was responsibly disclosed through the HackerOne platform by security researcher @akbar_jafarli (H1 2149479). The Concrete CMS security team assessed and addressed the vulnerability promptly, leading to patches in both the 8.5.x and 9.x branches (Concrete Blog).