{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "8.5.8" }, { "introduced": "9.0.0" }, { "fixed": "9.1.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "f42593b79d0b4e1af1bdca3ead8235ab2c2757a6" }, { "introduced": "b3774abddd475b4ba98b637402506f7a5ebd90ea" }, { "fixed": "f1a0eb94bc70d74c58ec8746a7a940cf8257bf22" } ], "repo": "https://github.com/concretecms/concretecms", "type": "GIT" } ] } ], "details": "Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting.", "id": "CVE-2022-30118", "modified": "2026-04-01T23:08:20.084222294Z", "published": "2022-06-24T15:15:10.913Z", "references": [ { "type": "ADVISORY", "url": "https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes" }, { "type": "ADVISORY", "url": "https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes" }, { "type": "REPORT", "url": "https://hackerone.com/reports/1370054" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }