Skip to main content

CVE-2022-43695: n/a in n/a

Medium
VulnerabilityCVE-2022-43695cvecve-2022-43695
Published: Mon Nov 14 2022 (11/14/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

AI-Powered Analysis

AILast updated: 07/06/2025, 17:57:46 UTC

Technical Analysis

CVE-2022-43695 is a medium severity Stored Cross-Site Scripting (XSS) vulnerability affecting Concrete CMS versions below 8.5.10 and between 9.0.0 and 9.1.2. Concrete CMS, formerly known as concrete5, is an open-source content management system widely used for building and managing websites. The vulnerability exists within the dashboard/system/express/entities/associations component. Specifically, the system allows association with an entity name that either does not exist or, if it does exist, contains malicious script code that is not properly sanitized. This improper input validation and output encoding flaw enables an attacker with authenticated access and user interaction to inject and store malicious JavaScript payloads. When other users or administrators access the affected dashboard pages, the malicious script executes in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the CMS environment. The CVSS 3.1 base score is 4.8, reflecting a medium severity level. The vector indicates that the attack requires network access, low attack complexity, privileges (high), and user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. No known exploits are currently reported in the wild. The recommended remediation is to update Concrete CMS to versions 9.1.3 or higher, or 8.5.10 or higher, where the vulnerability has been fixed by proper sanitization of entity names in the affected component.

Potential Impact

For European organizations using Concrete CMS, this vulnerability poses a risk primarily to the confidentiality and integrity of their web management interfaces. An attacker who gains authenticated access—potentially through compromised credentials or insider threat—can inject malicious scripts that execute in the browsers of other administrators or users with dashboard access. This can lead to session hijacking, unauthorized changes to website content or configurations, and potential lateral movement within the CMS environment. While the vulnerability does not directly affect availability, the compromise of administrative interfaces can result in defacement, data leakage, or unauthorized content publication, damaging organizational reputation and compliance posture. Given the widespread use of Concrete CMS among small to medium enterprises and public sector websites in Europe, especially in countries with strong digital government initiatives, the impact could be significant if exploited. The requirement for authenticated access and user interaction limits the attack surface but does not eliminate risk, especially in environments with weak access controls or social engineering susceptibility.

Mitigation Recommendations

1. Immediate upgrade of Concrete CMS installations to version 9.1.3 or later, or 8.5.10 or later, to ensure the vulnerability is patched. 2. Implement strict access controls and multi-factor authentication (MFA) for all CMS administrative accounts to reduce the risk of credential compromise. 3. Conduct regular audits of user accounts and permissions within Concrete CMS to minimize the number of users with high privileges. 4. Employ Content Security Policy (CSP) headers to mitigate the impact of potential XSS payloads by restricting script execution sources. 5. Monitor CMS logs and user activity for unusual behavior indicative of attempted exploitation or lateral movement. 6. Educate administrators and users about phishing and social engineering risks to reduce the likelihood of credential theft leading to authenticated exploitation. 7. If upgrading immediately is not feasible, consider temporary mitigations such as disabling the affected dashboard features or restricting access to trusted IP ranges.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2022-10-24T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fc1484d88663aecc4b

Added to database: 5/20/2025, 6:59:08 PM

Last enriched: 7/6/2025, 5:57:46 PM

Last updated: 8/18/2025, 7:51:24 AM

Views: 17

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats