CVE-2024-3178: 
PHP vulnerability analysis and mitigation

Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter. This vulnerability was discovered and disclosed on April 3, 2024, affecting the file manager functionality of Concrete CMS (NVD).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation) and has received a CVSS v3.1 base score of 4.8 MEDIUM from NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N) and 3.1 LOW from ConcreteCMS (Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L). The vulnerability stems from insufficient validation of administrator-provided data in the Advanced File Search Filter (Release Notes).

The vulnerability allows a rogue administrator to add malicious code in the file manager through the Advanced File Search Filter. Since all administrators have access to the File Manager, they could create a search filter with malicious code attached, potentially affecting other users who interact with the system (NVD).

The vulnerability has been fixed in Concrete CMS versions 9.2.8 and 8.5.16. Users should upgrade to these or later versions to mitigate the risk. The fix was implemented through commit 11988 for version 9 and commit 11989 for version 8 (Release Notes).

The vulnerability was reported through HackerOne (report #949443) by security researcher Guram (javakhishvili). The Concrete CMS security team acknowledged and addressed the vulnerability promptly (Release Notes).