Concrete CMS versions 9.5.0 and earlier contain a stored cross‑site scripting flaw in the OAuth integration mechanism. The integration name field, controllable by administrators, is inserted into the OAuth authorization page using PHP string interpolation and passed to the translation helper t() as raw, unescaped sprintf format. As a result, an attacker who can create or modify an integration name can inject arbitrary HTML or JavaScript into the page. If the victim visits the affected page, the injected script runs in the context of the site, permitting session hijacking, data exfiltration, or defacement. The flaw could also allow an administrator to snoop on login submissions, compromising the confidentiality of authentication credentials. The vulnerability affects Concrete CMS releases 9.5.0 and earlier. Administrators running those versions should review any OAuth integrations. The problem does not affect later releases such as 9.5.1 or 9.5.2, which contain the fix. The CVSS v4.0 score is 7.3, classifying the vulnerability as high severity. Because the issue requires an account with administrative privileges to supply a malicious integration name, the practical attack surface is limited to legitimate administrators or compromised admin credentials. No public exploit has been identified, and the EPSS score is unavailable, but the stored XSS nature means that once an admin injects a payload, any user who accesses the page will be affected. The vulnerability is not listed in the CISA KEV catalog, suggesting there are no known widespread exploitation campaigns, but clients should not rely on that as a safeguard. The likely attack vector is through a compromised or rogue administrator creating a malicious OAuth integration name that will be rendered to site users.

Concrete CMS versions 9.5.0 and earlier are impacted. The misconfiguration involves the OAuth integration name field stored in the database. Administrators on these releases should immediately audit and, if necessary, remove or correct any custom OAuth integration names. Versions 9.5.1 and later contain the patch and are not affected. The affected product is the content management system provided by Concrete CMS. The flaw does not affect other products or versions released after 9.5.0.

The CVSS v4.0 score of 7.3 classifies the flaw as high severity. The vulnerability requires an account with administrative privileges to inject a malicious payload; therefore, the practical attack surface is confined to legitimate administrators or attackers who have compromised such accounts. No public exploit has been documented, and the EPSS score is not available, but the stored XSS characteristic means that once the payload is stored, every user who visits the OAuth authorization page will be impacted. The vulnerability is not catalogued in the CISA KEV list, indicating no known widespread exploitation campaigns, but this does not mitigate the need for remediation.