2023-10-10 00:00:00
mitre
PUBLISHED
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendors position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.