Concrete CMS 8.5.18

12 August 2024

Concrete CMS version 8.5.18 is now available (security release).

Upgrading to Concrete CMS 8.5.18

What's New in Concrete CMS 8.5.18

• Fixed CVE-2024-4350 Stored XSS in RSS Displayer with commit 12166 for version 9 and with commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix a rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.0 with a vector of AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N and a CVSS v4 score of 2.1 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Thanks m3dium for reporting HackerOne 2479824
  
• Fixed CVE-2024-7394 Stored XSS in getAttributeSetName() by sanitizing Board instance names on output with commit 12166 for version 9 and commit c08d9671cec4e7afdabb547339c4bc0bed8eab06 for version 8. Prior to the fix, a rogue administrator could inject malicious code. The Concrete CMS team ranked this a CVSS v3.1 rank of 2 with vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N and a CVSS v4.0 rank of 1.8 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks m3dium for reporting HackerOne 2463288
  
• Show a more generic error message in RSS Displayer block if curl is unable to load posts. Thanks m3dium for recommending this in HackerOne 2479824
  

• Fixed bug where boolean page attributes that are checked by default show up as checked even if they have previously been saved unchecked (thanks hissy)
  
• Fixed some issues when attempting to use Redis to store session under certain conditions (thanks mlocati)