[GHSA-998c-q8hh-h8gv] Update CVSS 4 Attack Complexity from Low to High

[vulnerability-analyst]

Summary

The vulnerability described in GHSA-998c-q8hh-h8gv / CVE-2024-8660 requires a rogue administrator for a successful attack:

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page. This does not affect versions below 9.0.0 since they do not have the Top Navigator Bar Block. Thanks, Chu Quoc Khanh for reporting.

Based on the CVSS 4 specification, this vulnerability should have an Attack Complexity (AC) rating of High, not Low, because the attack relies on the privileges and knowledge of an administrator to bypass built-in security mechanisms.

Rationale

Alignment with CVSS 4 Specification

The CVSS 4 specification defines Attack Complexity = High as follows:

The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include:
Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention (DEP) must be performed for the attack to be successful.
Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.

To execute the attack successfully, the attacker must either possess insider knowledge exclusive to an administrator or steal the administrator’s credentials. This requirement aligns with the CVSS 4 definition of Attack Complexity = High.

Comparision with Similar Vulnerabilities

Several similar vulnerabilities in Concrete CMS were rated with Attack Complexity = High and Attack Requirement = None, including:

• GHSA-c47w-9mcf-w972 / CVE-2024-7512 (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code.

• GHSA-q5wx-m95r-4cgc / CVE-2024-4350 (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation.

• GHSA-q7qr-22qw-pqgx / CVE-2024-8291 (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color.  A rogue admin could add malicious code to the Thumbnails/Add-Type.

• GHSA-3cpf-jmmc-8jm3 / CVE-2024-4353 (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code.
The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator and a CVSS v4 score of 1.8 with a vector of CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Thanks fhAnso for reporting.

These similar CVEs have been rated as Attack Complexity = High. Consistency demands that the GHSA-998c-q8hh-h8gv / CVE-2024-8660 vulnerability also be rated as High for Attack Complexity.

[shelbyc]

Hi @vulnerability-analyst, thank you for explaining your suggested changes and providing examples of the CNA using an attack complexity value of high in similar vulnerabilities. Because ConcreteCMS, not GitHub, scored the CVSSv4 value for CVE-2024-8660, I don't want to change the CVSS without knowing if choosing AC:L instead of AC:H for CVE-2024-8660 was a deliberate choice or an accident.

Have you contacted Concrete CMS via their CNA email to ask them about their CVSSv4 scoring decision for CVE-2024-8660? Their CNA profile is available at https://www.cve.org/PartnerInformation/ListofPartners/partner/ConcreteCMS and provides an email address where people with questions about Concrete CMS's CVEs can contact them. If you haven't emailed Concrete CMS already, I would suggest you do that as your next step.

[vulnerability-analyst]

Hi @shelbyc,

I’ve reached out to the Concrete CMS team, and they’ve informed me that the matter is under internal discussion. I’ll provide an update here as soon as I receive confirmation from them.

On a related note, my colleagues mentioned they couldn’t see my contributions on the PR page of GHSA (please see the snapshots below); this issue is also true to my merged PR, where my colleagues encountered a 404 error when trying to access the page. Could this be due to a specific reason, such as @vulnerability-analyst being a relatively new account?

My view when using @vulnerability-analyst:

Public view when using a different account or incognito mode (not logged in):