CVE-2024-8291: 
PHP vulnerability analysis and mitigation

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability in the Image Editor Background Color feature. The vulnerability was discovered by Alexey Solovyev and reported through HackerOne. The issue was disclosed and patched in January 2025 (NVD).

The vulnerability exists in the Image Editor Background Color feature where output of 'Save Background Image Colour' in file thumbnail dashboard single page was not properly sanitized. The vulnerability has been assigned a CVSS v4.0 score of 5.1 (MEDIUM) with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The vulnerability is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

The vulnerability allows a rogue administrator to add malicious code to the Thumbnails/Add-Type functionality. When exploited, this could lead to execution of arbitrary JavaScript code in the context of other users' browsers, potentially leading to session hijacking, defacement, or theft of sensitive browser-based data (Release Notes).

The vulnerability has been fixed in the patches released through commits dbce253166f6b10ff3e0c09e50fd395370b8b065 for version 8 and pull request 12183 for version 9. The fix involves properly sanitizing the output of the Save Background Image Color function. Users are advised to upgrade to the latest version of Concrete CMS (Release Notes).