{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-26T21:36:43.906","vulnerabilities":[{"cve":{"id":"CVE-2025-8571","sourceIdentifier":"ff5b8ace-8b95-4078-9743-eac1ca5451de","published":"2025-08-05T23:15:38.493","lastModified":"2025-09-04T15:54:06.360","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks  Fortbridge https://fortbridge.co.uk/  for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue."},{"lang":"es","value":"Concrete CMS 9 a 9.4.2 y versiones anteriores a la 8.5.21 son vulnerables a ataques de Cross-Site Scripting (XSS) reflejado en la página del panel de mensajes de conversación. La entrada no depurada podría provocar el robo de cookies o tokens de sesión, la desfiguración del contenido web, la redirección a sitios maliciosos y (si la víctima es administrador), la ejecución de acciones no autorizadas. El equipo de seguridad de Concrete CMS otorgó a esta vulnerabilidad una puntuación de 4.8 en CVSS v.4.0 con el vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Gracias a Fortbridge (https://fortbridge.co.uk/) por realizar una prueba de penetración y una evaluación de vulnerabilidades en Concrete CMS e informar de este problema."}],"metrics":{"cvssMetricV40":[{"source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"HIGH","userInteraction":"PASSIVE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N","baseScore":4.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":1.7,"impactScore":2.7}]},"weaknesses":[{"source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*","versionEndExcluding":"8.5.21","matchCriteriaId":"414E2949-3A12-45EB-8B1B-5BA3CF318CAB"},{"vulnerable":true,"criteria":"cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0","versionEndExcluding":"9.4.3","matchCriteriaId":"C19307FC-CE44-49FB-AF45-748240634883"}]}]}],"references":[{"url":"https://documentation.concretecms.org/9-x/developers/introduction/version-history/943-release-notes","source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","tags":["Release Notes"]},{"url":"https://documentation.concretecms.org/developers/introduction/version-history/8521-release-notes","source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","tags":["Release Notes"]},{"url":"https://www.concretecms.org/download","source":"ff5b8ace-8b95-4078-9743-eac1ca5451de","tags":["Product"]}]}}]}