GHSA-f73j-pm2c-rxvrMedium
Concrete CMS is Vulnerable to Reflected XSS in Legacy Pagination
🔗 CVE IDs covered (1)
📋 Description
Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (<a href="{$linkURL}" …>). Any authenticated admin or report viewer with access to /dashboard/reports/forms/legacy who clicks the crafted URL fires the payload in their session.
🎯 Affected products1
- composer/concrete5/concrete5:< 9.5.1