5 matches found
CVE-2022-30119
XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-da...
CVE-2022-30117
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changin...
CVE-2022-21829
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concretesecure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http...
CVE-2019-2573
Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products subcomponent: Fluid Homepage & Navigation. Supported versions that are affected are 8.56 and 8.57. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to...
Oracle PeopleSoft Products PeopleSoft Enterprise PeopleTools Component Access Control Error Vulnerability
Oracle PeopleSoft Products is a suite of enterprise human capital management solutions from Oracle Corporation. The products provide human capital management, financial management, supplier relationship management, etc. PeopleSoft Enterprise PeopleTools is one of the tools and technology platform...