How to fix CVE-2025-0660?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Is Concrete CMS affected by CVE-2025-0660?

CVE-2025-0660 presents moderate security risk, a input validation vulnerability rated CVSS 4.8. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

Concrete CMS CVE-2025-0660

MEDIUM

Improper Input Validation (CWE-20)

2025-03-10 ff5b8ace-8b95-4078-9743-eac1ca5451de

GHSA-pvmx-mjmh-jfcx

XSS

4.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 19:50 vuln.today

Patch released

Sep 04, 2025 - 15:54 nvd

Patch available

CVE Published

Mar 10, 2025 - 21:15 nvd

MEDIUM 4.8

DescriptionNVD

Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.

AnalysisAI

Concrete CMS versions 9.0.0 versions up to 9.3.9 is affected by improper input validation (CVSS 4.8).

Technical ContextAI

This vulnerability (CWE-20: Improper Input Validation) exists in the Folder component. Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N. Versions below 9 are not affected. Thanks, Alfin Joseph for reporting.

Affected ProductsAI

Product: Concrete CMS versions 9.0.0. Versions: up to 9.3.9. Component: Folder.

RemediationAI

A vendor patch is available — apply it immediately. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

CVE-2025-0660 vulnerability details – vuln.today

Back