User input passed through the "cvID" and "cID" request parameters is not properly sanitized before being used to generate HTML output at lines 6 and 13. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks. 2) The vulnerable code is located in /concrete/src/Form/Service/Widget/UserSelector.php: 17. public function selectUser($fieldName, $uID = false, $javascriptFunc = 'ccm_triggerSelectUser') { 18. $selectedUID = 0; 19. if (isset($_REQUEST[$fieldName])) { 20. $selectedUID = $_REQUEST[$fieldName]; 21. } else if ($uID > 0) { 22. $selectedUID = $uID; 23. } 24. 25. $html = ''; 26. $html .= '

... 27. if ($selectedUID > 0) { 28. $ui = UserInfo::getByID($selectedUID); 29. $html .= $ui->getUserName(); 30. } 31. $html .= '

'; 32. $identifier = new \Concrete\Core\Utility\Service\Identifier(); 33. $selector = $identifier->getString(32); 34. $html .= ''; 36. $html .= '

'; User input passed through the "uID" request parameter is not properly sanitized before being used to generate HTML output at line 35. This can be exploited to conduct reflected Cross-Site Scripting (XSS) attacks. 3) The vulnerable code is located in /concrete/elements/group/search.php: 4. $searchRequest = $_REQUEST; 5. $result = Loader::helper('json')->encode($controller->getSearchResultObject()->getJSONObject()); 6. $tree = GroupTree::get(); 7. $guestGroupNode = GroupTreeNode::getTreeNodeByGroupID(GUEST_GROUP_ID); 8. $registeredGroupNode = GroupTreeNode::getTreeNodeByGroupID(REGISTERED_GROUP_ID); 9. ?> 10. 11. 16. 17.

18.