CVE-2025-8571: 
PHP vulnerability analysis and mitigation

Concrete CMS versions 9.0.0 through 9.4.2 and versions below 8.5.21 are vulnerable to a Reflected Cross-Site Scripting (XSS) vulnerability in the Conversation Messages Dashboard Page. The vulnerability was discovered through a penetration test conducted by Fortbridge and was disclosed on May 8, 2025. The vulnerability received a CVSS v4.0 score of 4.8 (Medium) (NVD, ConcreteCMS Release Notes).

The vulnerability exists due to insufficient sanitization in the Url::setVariable method, which allows for reflected XSS attacks in the Conversation Messages Dashboard Page. The issue was addressed in version 9.4.3 and 8.5.21 through commits 12643 and 12646 respectively. The vulnerability has been assigned a CVSS v4.0 vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N, indicating network accessibility with low attack complexity but requiring high privileges and user interaction (ConcreteCMS Release Notes).

If successfully exploited, the vulnerability could lead to theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and if the victim is an administrator, the execution of unauthorized actions (ConcreteCMS Release Notes).

The vulnerability has been fixed in Concrete CMS version 9.4.3 and version 8.5.21. Users are advised to upgrade to these versions or later to address the security issue. The fix involves improved sanitization of the Url::setVariable method (ConcreteCMS Release Notes).