Concrete5 8.5.4 - 'name' Stored XSS

ID: 104196
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2021-01 
# Exploit Author: Quadron Research Lab
# Version: Concrete5 8.5.4 
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: Concrete5 CMS (
# CVE: CVE-2021-3111

[Suggested description]
The Express Entries Dashboard inConcrete5 8.5.4 allows stored XSS via the name field of a new data object at anindex.php/dashboard/express/entries/view/ URI.

[Attack Vectors]
Creating a new data object, the name field is not filtered.  It is possible to place JavaScript code. [Stored XSS]

Proof of Concept
1-4-2 (www01)