CVE-2024-1247: 
PHP vulnerability analysis and mitigation

Concrete CMS version 9 before 9.2.5 contains a stored Cross-Site Scripting (XSS) vulnerability in the Role Name field. The vulnerability was discovered and disclosed on February 4, 2024, and affects Concrete CMS versions from 9.0.0 up to (excluding) 9.2.5. Versions below 9 are not affected by this vulnerability as they do not include group types (Vendor Advisory).

The vulnerability stems from insufficient validation of administrator-provided data in the Role Name field. The issue has been assigned CVE-2024-1247 and is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-20 (Improper Input Validation). The vulnerability has received two different CVSS v3.1 scores: a NIST score of 4.8 (Medium) with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, and a ConcreteCMS score of 2.0 (Low) with vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N (NVD).

If exploited, a rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The impact is considered relatively low due to the requirement of administrative privileges and user interaction (Vendor Advisory).

The vulnerability has been fixed in Concrete CMS version 9.2.5. Users are advised to upgrade to this version or later to address the security issue (Release Notes).