Description: Cross Site Scripting vulnerability in ConcreteCMS v.9.2.1 allows a local attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings.
Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the "Header Extra Content" of "SEO" allows injecting JavaScript code that will be executed when the user accesses the web page.
When logging into the panel, we will go to the "Page Settings - SEO".
<img src=x:alert(alt) onerror=eval(src) alt='XSS Extra
In the following image you can see the embedded code that executes the payload in the main web.