Description: ConcreteCMS v9.2.1 is affected by Arbitrary File Upload vulnerability which allows Cross-Site Scriting (XSS) stored.
Attack Vectors: A vulnerability in "Thumbnail" file upload sanitation allows you to upload a PDF / SVG /HTML file with hidden alert Cross-Site scripting (XSS).
When logging into the panel, we will go to the "Settings - Tags - Thumbnail off Dashboard Menu.
There is the payloads:
It is an XSS payload generated with the JS2PDFInjector tool and a js payload that contains the following content:
app.alert("XSS");
Once uploaded, if we click on the link we can see the path where they are stored:
In the following image you can see the embedded code that executes the payload in the main web.