Lucene search

GoogleOSV:GHSA-M53V-5X5X-5M2P

HistoryNov 15, 2022 - 12:00 p.m.

Concrete CMS vulnerable to Session Fixation

2022-11-1512:00:17

Google

osv.dev

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

42.3%

JSON

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

CPENameOperatorVersion
concrete5/concrete5eq8.3.0
concrete5/concrete5eq8.4.0RC3
concrete5/concrete5eq8.4.0RC4
concrete5/concrete5eq8.0.3
concrete5/concrete5eq8.5.6RC1
concrete5/concrete5eq8.4.0
concrete5/concrete5eq9.1.1
concrete5/concrete5eq8.5.0RC1
concrete5/concrete5eq9.0.1
concrete5/concrete5eq8.4.4

Name	Operator	Version
concrete5/concrete5	eq	8.3.0
concrete5/concrete5	eq	8.4.0RC3
concrete5/concrete5	eq	8.4.0RC4
concrete5/concrete5	eq	8.0.3
concrete5/concrete5	eq	8.5.6RC1
concrete5/concrete5	eq	8.4.0
concrete5/concrete5	eq	9.1.1
concrete5/concrete5	eq	8.5.0RC1
concrete5/concrete5	eq	9.0.1
concrete5/concrete5	eq	8.4.4

Rows per page:

1-10 of 381

References

documentation.concretecms.org/developers/introduction/version-history/8510-release-notes

documentation.concretecms.org/developers/introduction/version-history/913-release-notes

github.com/concretecms/concretecms

github.com/concretecms/concretecms/releases/8.5.10

github.com/concretecms/concretecms/releases/9.1.3

nvd.nist.gov/vuln/detail/CVE-2022-43687

www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

42.3%

JSON

Related for OSV:GHSA-M53V-5X5X-5M2P