CVE-2024-2179: 
PHP vulnerability analysis and mitigation

Concrete CMS version 9 before 9.2.7 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Name field of a Group type. The vulnerability was discovered and disclosed on March 5, 2024, and affects all Concrete CMS versions from 9.0.0 to versions before 9.2.7. Concrete versions below 9 are not affected as they do not include group types (NVD, Release Notes).

The vulnerability stems from insufficient validation of administrator-provided data in the Name field of a Group type. The issue is classified as CWE-79 (Cross-site Scripting). The CVSS v3.1 scores vary between sources, with NVD assigning a base score of 4.8 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) while ConcreteCMS rates it at 2.2 LOW (Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N) (NVD).

If exploited, a rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. This could potentially lead to unauthorized client-side code execution in users' browsers (NVD).

The vulnerability has been fixed in Concrete CMS version 9.2.7. Users are advised to upgrade to this version or later to address the security issue. The fix was implemented in commit 11965 (Release Notes).