VIR Vulnerability Intelligence Relay

CVE-2025-8573

unknown
Published 2025-08-06 ยท Modified 2025-08-06
๐Ÿ’ฌ Discuss on Community โœš Propose mitigation
CVSS v3
โ€”
CVSS v4 NEW
โ€”
not yet in upstream
VIR risk
1.0

Description

Concrete CMS is vulnerable to Stored XSS from Home Folder on Members Dashboard page

Predictions

Exploit likelihood
20%
Patch ETA
โ€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ€” if you've already worked around this in production โ€” publish your fix to the community-verified tier.

โœš Propose a mitigation on Community โ†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52428 webapps multiple text ยท 1 KB
Chokri Hammedi ยท 2025-09-16

Concrete CMS 9.4.3 - Stored XSS

text exploit Source: Exploit-DB 
# Exploit Title:  Concrete CMS 9.4.3 - Stored XSS
# Date: 2/09/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.concretecms.org/
# Software Link:
https://www.concretecms.org/download_file/8e11ad24-cc1e-4880-8553-7c18ede22c50/2658
# Version: 9.4.3
# CVE : CVE-2025-8573
# Tested on: Windows XP


'''
Description:
A stored XSS vulnerability in the Concrete CMS admin panel allows
administrators to inject malicious scripts into the site's tracking codes,
which then execute for every site visitor.

'''


Reproduction Steps:
1. Login to Concrete CMS dashboard with administrator credentials
2. Navigate to: Dashboard โ†’ System & Settings โ†’ SEO & Statistics โ†’ Tracking
Codes
3. Locate the "Footer Tracking Codes" text input field
4. Insert malicious JavaScript payload: <script>alert('XSS')</script>
5. Save the configuration changes
6. Visit any frontend page of the website

Observe JavaScript alert execution on page load

Package impact
EcosystemPackageVulnerableFixed
php Packagistconcrete5/concrete5>=9.0.0RC1,<9.4.39.4.3

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.