How the CVE Works:
This vulnerability exploits improper input sanitization in ConcreteCMS’s HTML Block Handler component. When users submit malicious HTML/JavaScript code via the ‘content’ parameter in the Save function, the system fails to filter it properly. The payload persists in the database and executes when the block is rendered. Attackers can craft specially formatted text fields containing