CVE-2025-8571 (CNNVD-202508-399)
中文标题:
Concrete CMS 安全漏洞
英文标题:
Concrete CMS 9 through 9.4.2 and below 8.5.21 is vulnerable to Reflected Cross-Site Scripting (XSS) in Conversation Messages Dashboard Page
漏洞描述
中文描述:
Concrete CMS是Concrete CMS开源的一个面向团队的开源内容管理系统。 Concrete CMS 9至9.4.2版本和8.5.21之前版本存在安全漏洞,该漏洞源于会话消息仪表板页面存在反射型跨站脚本漏洞。
英文描述:
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| Concrete CMS | Concrete CMS | - | < 9.4.3 | - |
cpe:2.3:a:concrete_cms:concrete_cms:*:*:*:*:*:*:*:*
|
| concretecms | concrete_cms | * | - | - |
cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
4.0 (cna)
MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-8571 |
2025-11-11 15:23:37 | 2025-11-11 07:40:53 |
| NVD | nvd_CVE-2025-8571 |
2025-11-11 15:00:58 | 2025-11-11 07:48:39 |
| CNNVD | cnnvd_CNNVD-202508-399 |
2025-11-11 15:12:52 | 2025-11-11 08:00:08 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202508-399
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']