Lucene search

GitHub Advisory DatabaseGHSA-F55R-8RCV-MQCF

HistoryApr 28, 2023 - 3:30 p.m.

Concrete CMS missing secure cookie parameters

2023-04-2815:30:18

CWE-613

GitHub Advisory Database

github.com

concrete cms

security

cookie parameters

ccmpoll

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

37.4%

JSON

Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.

Affected configurations

Vulners

Node

concrete5concrete5Range<9.2.0

VendorProductVersionCPE
concrete5concrete5*cpe:2.3:a:concrete5:concrete5:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
concrete5	concrete5	*	cpe:2.3:a:concrete5:concrete5::::::::

References

concretecms.com

github.com/advisories/GHSA-f55r-8rcv-mqcf

github.com/concretecms/concretecms/pull/11749

github.com/concretecms/concretecms/releases/tag/8.5.13

nvd.nist.gov/vuln/detail/CVE-2023-28472

www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.001

Percentile

37.4%

JSON

Related for GHSA-F55R-8RCV-MQCF