Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-3ejn-3ds7-u7g8

Summary

Improper Input Validation
Concrete CMS version 9 before 9.2.5 is vulnerable to  stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.

Aliases

alias	CVE-2024-1247

alias	GHSA-q25h-jch8-gfrp

Fixed_packages

url	pkg:composer/concrete5/concrete5@9.2.5
purl	pkg:composer/concrete5/concrete5@9.2.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.2.5

Affected_packages

url pkg:composer/concrete5/concrete5@9.0.0-RC1

purl pkg:composer/concrete5/concrete5@9.0.0-RC1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1ptm-ydqz-gybk

vulnerability	VCID-3ejn-3ds7-u7g8

vulnerability	VCID-3z92-cd94-cfdt

vulnerability	VCID-4e63-f1w1-rudp

vulnerability	VCID-av2c-h349-tkae

vulnerability	VCID-tsf3-f23x-uybj

vulnerability	VCID-txnd-sm12-qfdj

vulnerability	VCID-x7qc-tw7s-tugy

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/concrete5/concrete5@9.0.0-RC1

References

reference_url	https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes
reference_id
reference_type
scores
url	https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes

reference_url	https://github.com/concretecms/concretecms/commit/59a07472ad6349a2c5fb455837a54ed1fe3f6953
reference_id
reference_type
scores
url	https://github.com/concretecms/concretecms/commit/59a07472ad6349a2c5fb455837a54ed1fe3f6953

reference_url	https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory
reference_id
reference_type
scores
url	https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2024-1247
reference_id	CVE-2024-1247
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2024-1247

reference_url	https://github.com/advisories/GHSA-q25h-jch8-gfrp
reference_id	GHSA-q25h-jch8-gfrp
reference_type
scores
url	https://github.com/advisories/GHSA-q25h-jch8-gfrp

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	20
name	Improper Input Validation
description	The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

cwe_id	79
name	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3ejn-3ds7-u7g8

Vulnerability Instance