Description: Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the SITE parameter from installation or in the Settings.
Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Site of Installation or Settings allows injecting JavaScript code that will be executed when the user accesses the web page.
In the installation process we add the payload in the SITE parameter:
<img src=x:alert(alt) onerror=eval(src) alt='XSS Site'>
In the following image you can see the embedded code that executes the payload in the main web.