CVE-2024-7398
📋 TL;DR
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 contain a stored cross-site scripting (XSS) vulnerability in the calendar event addition feature. Users or groups with permission to create or modify event calendars can inject malicious scripts that execute when other users view the calendar. This affects all Concrete CMS installations running vulnerable versions.
💻 Affected Systems
- Concrete CMS
📦 What is this software?
Concrete Cms by Concretecms
Concrete Cms by Concretecms
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker with calendar permissions could inject malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users when they view the calendar.
Likely Case
Privileged users could inadvertently or maliciously embed scripts in calendar events that execute when other users view the calendar, potentially leading to session hijacking or client-side attacks.
If Mitigated
With proper input validation and output encoding, the scripts would be rendered harmless as text rather than executed.
🎯 Exploit Status
Exploitation requires authenticated access with calendar creation/modification permissions. The vulnerability is straightforward to exploit once authenticated with appropriate privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.3.4 for version 9.x, 8.5.19 for version 8.x
Vendor Advisory: https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes
Restart Required: No
Instructions:
1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS version 9.3.4 if using version 9.x. 3. Update to Concrete CMS version 8.5.19 if using version 8.x. 4. Verify the update was successful by checking the version in the dashboard.
🔧 Temporary Workarounds
Restrict Calendar Permissions
allTemporarily restrict calendar creation and modification permissions to only trusted administrators until patching can be completed.
Implement Output Encoding
allManually implement proper output encoding for calendar event names in custom templates if immediate patching isn't possible.
🧯 If You Can't Patch
- Restrict calendar creation and modification permissions to only essential, trusted users.
- Implement a web application firewall (WAF) with XSS protection rules to block malicious script injection attempts.
🔍 How to Verify
Check if Vulnerable:
Check your Concrete CMS version in the dashboard or via the system information page. If running version 9.0.0-9.3.3 or any version below 8.5.19, you are vulnerable.Check Version:
Check via Concrete CMS dashboard: System & Settings > System Information, or check the concrete/config/concrete.php file version constant.Verify Fix Applied:
After updating, verify the version shows 9.3.4 or higher for version 9.x, or 8.5.19 or higher for version 8.x. Test calendar event creation with script-like content to ensure it's properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual calendar event creation/modification patterns
- Calendar events containing script tags or JavaScript code in event names
Network Indicators:
- HTTP requests containing script payloads in calendar-related parameters
SIEM Query:
Search for POST requests to calendar endpoints with parameters containing script tags or JavaScript functions.🔗 References
- https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes
- https://documentation.concretecms.org/developers/introduction/version-history/8519-release-notes
- https://github.com/concretecms/concretecms/commit/7c8ed0d1d9db0d7f6df7fa066e0858ea618451a5
- https://github.com/concretecms/concretecms/pull/12183
- https://github.com/concretecms/concretecms/pull/12184
