CVE-2024-8660
📋 TL;DR
Concrete CMS versions 9.0.0 through 9.3.3 have a stored cross-site scripting (XSS) vulnerability in the Top Navigator Bar block. A rogue administrator can inject malicious JavaScript that executes when users visit the home page. This affects all Concrete CMS installations using the vulnerable versions with the Top Navigator Bar feature enabled.
💻 Affected Systems
- Concrete CMS
📦 What is this software?
Concrete Cms by Concretecms
⚠️ Risk & Real-World Impact
Worst Case
A compromised administrator account could inject persistent malicious scripts that steal session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users when they visit the home page.
Likely Case
A malicious administrator or compromised admin account injects tracking scripts, defaces content, or steals limited user data via XSS payloads.
If Mitigated
With proper administrator account security and monitoring, impact is limited to potential content defacement or minor data leakage from users visiting the home page.
🎯 Exploit Status
Exploitation requires administrator privileges. The vulnerability is in the output sanitization of the Top Navigator Bar block.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.3.4
Vendor Advisory: https://documentation.concretecms.org/9-x/developers/introduction/version-history/934-release-notes
Restart Required: No
Instructions:
1. Backup your Concrete CMS installation and database. 2. Update to Concrete CMS version 9.3.4 or later. 3. Verify the update completed successfully. 4. Clear any cached content.
🔧 Temporary Workarounds
Disable Top Navigator Bar Block
allRemove or disable the Top Navigator Bar block from your site layout to eliminate the attack surface.
Restrict Administrator Privileges
allImplement strict access controls and review administrator accounts to minimize attack surface.
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Enable XSS protection headers and input validation at web server level
🔍 How to Verify
Check if Vulnerable:
Check Concrete CMS version in admin dashboard or via /concrete/config/app.php. If version is between 9.0.0 and 9.3.3 inclusive, and Top Navigator Bar block is enabled, system is vulnerable.Check Version:
Check /concrete/config/app.php for version number or use Concrete CMS admin dashboardVerify Fix Applied:
After updating, confirm version is 9.3.4 or higher. Test Top Navigator Bar functionality to ensure it works without allowing script injection.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity modifying Top Navigator Bar content
- JavaScript payloads in block edit logs
Network Indicators:
- Unexpected script tags loading from home page
- Suspicious outbound connections from home page visits
SIEM Query:
web_logs WHERE (uri CONTAINS '/dashboard/blocks/top_navigator_bar' OR uri CONTAINS '/ccm/system/block/render') AND (user_agent CONTAINS 'admin' OR user CONTAINS 'admin')