# Exploit Title: Concrete CMS 9.4.3 - Stored XSS
# Date: 2/09/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.concretecms.org/
# Software Link:
https://www.concretecms.org/download_file/8e11ad24-cc1e-4880-8553-7c18ede22c50/2658
# Version: 9.4.3
# CVE : CVE-2025-8573
# Tested on: Windows XP
'''
Description:
A stored XSS vulnerability in the Concrete CMS admin panel allows
administrators to inject malicious scripts into the site's tracking codes,
which then execute for every site visitor.
'''
Reproduction Steps:
1. Login to Concrete CMS dashboard with administrator credentials
2. Navigate to: Dashboard → System & Settings → SEO & Statistics → Tracking
Codes
3. Locate the "Footer Tracking Codes" text input field
4. Insert malicious JavaScript payload: <script>alert('XSS')</script>
5. Save the configuration changes
6. Visit any frontend page of the website
Observe JavaScript alert execution on page load
