CVE-2025-0660 in Concrete
Summary
by MITRE • 03/10/2025
Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/04/2025
Concrete CMS version 9.0.0 through 9.3.9 contains a stored cross-site scripting vulnerability within the Folder Functionality that poses significant security risks to affected systems. This vulnerability stems from insufficient input sanitization in the "Add Folder" functionality, which allows authenticated administrators with sufficient privileges to inject malicious JavaScript code into folder names. The flaw specifically affects the server-side processing of folder creation requests where user-provided folder names are stored without proper validation or sanitization, creating a persistent XSS attack vector that can be exploited by malicious actors who have gained administrative access to the system.
The technical implementation of this vulnerability demonstrates a classic stored XSS flaw that aligns with CWE-79, which describes improper neutralization of input during web output. The vulnerability occurs because the Concrete CMS application fails to properly sanitize user input before storing it in the database and subsequently rendering it in web interfaces. When an administrator views the folder list or navigates to folders with maliciously crafted names, the injected JavaScript code executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further exploitation of the affected system. The CVSS 4.0 score of 4.8 indicates a medium severity vulnerability that requires network access, low complexity, and user interaction, with the attack vector being network-based and the privilege requirement being high due to the need for administrative access.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with a potential foothold for more sophisticated attacks within the Concrete CMS environment. An attacker who successfully exploits this vulnerability can manipulate folder names to inject malicious code that persists in the system until manually removed, making it particularly dangerous for long-term operations. The vulnerability affects the availability and integrity of the content management system's folder structure, potentially allowing attackers to redirect users to malicious websites or steal sensitive information from authenticated sessions. This issue particularly impacts organizations relying on Concrete CMS for content management, as it undermines the trust and security assumptions of the administrative interface.
Organizations should immediately implement mitigation strategies to address this vulnerability, including updating to Concrete CMS versions 9.4.0 or later where this issue has been resolved. Administrators should also consider implementing additional security measures such as input validation at multiple layers, regular monitoring of folder creation activities, and user access controls to minimize the potential impact of compromised administrative accounts. The vulnerability's classification under ATT&CK technique T1566.001 for "Phishing" and T1059.007 for "Command and Scripting Interpreter" highlights the potential for attackers to leverage this flaw for broader exploitation campaigns. Security teams should also implement network monitoring to detect suspicious folder creation patterns and consider implementing web application firewalls to help identify and block malicious payloads before they can be executed. Given that this vulnerability requires administrative privileges to exploit, organizations should also review their access control policies and implement principle of least privilege to limit the potential damage from compromised accounts.