Publish Advisories

GHSA-45fj-fvmm-xcc5
GHSA-6mxw-2vhf-42g5
GHSA-mm5f-5rqw-574f

Author: advisory-database[bot]

…-45fj-fvmm-xcc5/GHSA-45fj-fvmm-xcc5.json …-45fj-fvmm-xcc5/GHSA-45fj-fvmm-xcc5.jsonadvisories/unreviewed/2026/03/GHSA-45fj-fvmm-xcc5/GHSA-45fj-fvmm-xcc5.json renamed to advisories/github-reviewed/2026/03/GHSA-45fj-fvmm-xcc5/GHSA-45fj-fvmm-xcc5.json advisories/unreviewed/2026/03/GHSA-45fj-fvmm-xcc5/GHSA-45fj-fvmm-xcc5.json renamed to advisories/github-reviewed/2026/03/GHSA-45fj-fvmm-xcc5/GHSA-45fj-fvmm-xcc5.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-45fj-fvmm-xcc5",
-  "modified": "2026-03-04T03:31:34Z",
+  "modified": "2026-03-04T21:36:26Z",
   "published": "2026-03-04T03:31:34Z",
   "aliases": [
     "CVE-2026-3240"
   ],
-  "details": "In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.",
+  "summary": "Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability",
+  "details": "In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. \n\nThe Concrete CMS security team thanks minhnn42, namdi and quanlna2 from VCSLab-Viettel Cyber Security for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "concrete5/concrete5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.4.8"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -26,15 +47,19 @@
     {
       "type": "WEB",
       "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/concretecms/concretecms"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T21:36:26Z",
     "nvd_published_at": "2026-03-04T03:16:04Z"
   }
 }

…-6mxw-2vhf-42g5/GHSA-6mxw-2vhf-42g5.json …-6mxw-2vhf-42g5/GHSA-6mxw-2vhf-42g5.jsonadvisories/unreviewed/2026/03/GHSA-6mxw-2vhf-42g5/GHSA-6mxw-2vhf-42g5.json renamed to advisories/github-reviewed/2026/03/GHSA-6mxw-2vhf-42g5/GHSA-6mxw-2vhf-42g5.json advisories/unreviewed/2026/03/GHSA-6mxw-2vhf-42g5/GHSA-6mxw-2vhf-42g5.json renamed to advisories/github-reviewed/2026/03/GHSA-6mxw-2vhf-42g5/GHSA-6mxw-2vhf-42g5.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6mxw-2vhf-42g5",
-  "modified": "2026-03-04T03:31:34Z",
+  "modified": "2026-03-04T21:34:58Z",
   "published": "2026-03-04T03:31:34Z",
   "aliases": [
     "CVE-2026-2994"
   ],
-  "details": "Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks z3rco for reporting",
+  "summary": "Concrete CMS vulnerable to Cross-Site Request Forgery (CSRF)",
+  "details": "Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. \n\nThe Concrete CMS security team thanks z3rco for reporting",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "concrete5/concrete5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.4.8"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -26,15 +47,19 @@
     {
       "type": "WEB",
       "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/concretecms/concretecms"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-352"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T21:34:58Z",
     "nvd_published_at": "2026-03-04T03:16:04Z"
   }
 }

…-mm5f-5rqw-574f/GHSA-mm5f-5rqw-574f.json …-mm5f-5rqw-574f/GHSA-mm5f-5rqw-574f.jsonadvisories/unreviewed/2026/03/GHSA-mm5f-5rqw-574f/GHSA-mm5f-5rqw-574f.json renamed to advisories/github-reviewed/2026/03/GHSA-mm5f-5rqw-574f/GHSA-mm5f-5rqw-574f.json advisories/unreviewed/2026/03/GHSA-mm5f-5rqw-574f/GHSA-mm5f-5rqw-574f.json renamed to advisories/github-reviewed/2026/03/GHSA-mm5f-5rqw-574f/GHSA-mm5f-5rqw-574f.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mm5f-5rqw-574f",
-  "modified": "2026-03-04T03:31:34Z",
+  "modified": "2026-03-04T21:34:11Z",
   "published": "2026-03-04T03:31:34Z",
   "aliases": [
     "CVE-2026-3244"
   ],
-  "details": "In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N.  Thanks zolpak for reporting",
+  "summary": "Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability",
+  "details": "In Concrete CMS below version 9.4.8, A stored Cross-site Scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those pages in search results. \n\nThe Concrete CMS security team thanks zolpak for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "concrete5/concrete5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.4.8"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -26,15 +47,19 @@
     {
       "type": "WEB",
       "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/concretecms/concretecms"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-79"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T21:34:11Z",
     "nvd_published_at": "2026-03-04T02:15:54Z"
   }
 }