Lucene search

[email protected]NVD:CVE-2023-28472

HistoryApr 28, 2023 - 2:15 p.m.

CVE-2023-28472

2023-04-2814:15:10

[email protected]

web.nvd.nist.gov

concrete cms

security vulnerability

http only

ccmpoll cookies

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

37.4%

JSON

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.

Affected configurations

Nvd

Node

concretecmsconcrete_cmsRange<9.2.0

VendorProductVersionCPE
concretecmsconcrete_cms*cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
concretecms	concrete_cms	*	cpe:2.3:a:concretecms:concrete_cms::::::::

References

concretecms.com

www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.4

Confidence

High

EPSS

0.001

Percentile

37.4%

JSON

Related for NVD:CVE-2023-28472

github1 veracode1 osv1 cvelist1 prion1 cve1