CVE-2024-7512: 
PHP vulnerability analysis and mitigation

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored Cross-Site Scripting (XSS) vulnerability in Board instances. The vulnerability was discovered by security researcher m3dium and reported through HackerOne. The issue was assigned CVE-2024-7512 and affects only version 9 installations, with versions below 9 being unaffected (NVD).

The vulnerability is classified as a stored XSS vulnerability (CWE-79) that occurs in Board instances. The CVSS 4.0 score was initially assessed at 1.8 but was later updated to 4.6 with the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The CVSS 3.1 base score is 4.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows a rogue administrator to inject malicious code into Board instances. While the impact is limited by the requirement of administrative privileges, successful exploitation could lead to execution of arbitrary JavaScript code in the context of other users' browsers (Release Notes).

The vulnerability has been fixed in Concrete CMS version 9.3.3 through a patch that implements proper sanitization of Board instance names. Users are advised to upgrade to version 9.3.3 or later to address this security issue (Release Notes).