CVE-2022-43695 is a medium severity Stored Cross-Site Scripting (XSS) vulnerability affecting Concrete CMS versions below 8.5.10 and between 9.0.0 and 9.1.2. Concrete CMS, formerly known as concrete5, is an open-source content management system widely used for building and managing websites. The vulnerability exists within the dashboard/system/express/entities/associations component. Specifically, the system allows association with an entity name that either does not exist or, if it does exist, contains malicious script code that is not properly sanitized. This improper input validation and output encoding flaw enables an attacker with authenticated access and user interaction to inject and store malicious JavaScript payloads. When other users or administrators access the affected dashboard pages, the malicious script executes in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the CMS environment. The CVSS 3.1 base score is 4.8, reflecting a medium severity level. The vector indicates that the attack requires network access, low attack complexity, privileges (high), and user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. No known exploits are currently reported in the wild. The recommended remediation is to update Concrete CMS to versions 9.1.3 or higher, or 8.5.10 or higher, where the vulnerability has been fixed by proper sanitization of entity names in the affected component.

For European organizations using Concrete CMS, this vulnerability poses a risk primarily to the confidentiality and integrity of their web management interfaces. An attacker who gains authenticated access—potentially through compromised credentials or insider threat—can inject malicious scripts that execute in the browsers of other administrators or users with dashboard access. This can lead to session hijacking, unauthorized changes to website content or configurations, and potential lateral movement within the CMS environment. While the vulnerability does not directly affect availability, the compromise of administrative interfaces can result in defacement, data leakage, or unauthorized content publication, damaging organizational reputation and compliance posture. Given the widespread use of Concrete CMS among small to medium enterprises and public sector websites in Europe, especially in countries with strong digital government initiatives, the impact could be significant if exploited. The requirement for authenticated access and user interaction limits the attack surface but does not eliminate risk, especially in environments with weak access controls or social engineering susceptibility.

1. Immediate upgrade of Concrete CMS installations to version 9.1.3 or later, or 8.5.10 or later, to ensure the vulnerability is patched. 2. Implement strict access controls and multi-factor authentication (MFA) for all CMS administrative accounts to reduce the risk of credential compromise. 3. Conduct regular audits of user accounts and permissions within Concrete CMS to minimize the number of users with high privileges. 4. Employ Content Security Policy (CSP) headers to mitigate the impact of potential XSS payloads by restricting script execution sources. 5. Monitor CMS logs and user activity for unusual behavior indicative of attempted exploitation or lateral movement. 6. Educate administrators and users about phishing and social engineering risks to reduce the likelihood of credential theft leading to authenticated exploitation. 7. If upgrading immediately is not feasible, consider temporary mitigations such as disabling the affected dashboard features or restricting access to trusted IP ranges.