25 matches found
EUVD-2026-31379
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...
CVE-2026-7890
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...
CVE-2026-7890
Concrete CMS 9.5.0 and earlier are affected by a server-side SSRF in the RSS Displayer block that accepts arbitrary feed URLs without validation, enabling redirect-to-internal bypasses. The CVE-2026-7890 entry documents a CVSSv4.0 score of 2.1 (low) with network attack vector and high privileges ...
CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...
CVE-2026-7890 Concrete CMS 9.5.0 is vulnerable to SSRF via RSS Displayer Block
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...
CVE-2026-7890
In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a...
Concrete CMS 代码问题漏洞
Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier have code vulnerabilities. These vulnerabilities stem from the RSS Displayer block accepting arbitrary feed URLs without validation, which may lead to redirection to...
PT-2026-42580
Name of the Vulnerable Software and Affected Versions Concrete CMS versions 9.5.0 and earlier Description The RSS Displayer block accepts a feed URL from page editors and fetches it server-side without proper validation. This lack of validation allows for redirect-to-internal bypasses, where an...
EUVD-2023-1289
Malicious code in bioql PyPI...
Concrete CMS Stored Cross-site Scripting vulnerability
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation...
GHSA-Q5WX-M95R-4CGC Concrete CMS Stored Cross-site Scripting vulnerability
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation...
CVE-2024-4350
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave...
CVE-2024-4350
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave...
CVE-2024-4350 Concrete CMS version 9 below 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave...
CVE-2024-4350 Concrete CMS version 9 below 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave...
PT-2024-30594 · Unknown · Concrete Cms
Name of the Vulnerable Software and Affected Versions: Concrete CMS versions 9.0.0 through 9.3.2 Concrete CMS versions below 8.5.18 Description: The issue concerns Stored XSS in the RSS Displayer of Concrete CMS, where user input is stored and later embedded into responses. This occurs due to...
GHSA-FGXJ-G7X3-85CQ Stored cross site scripting in RSS displayer
Concrete CMS previously concrete5 before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized...
Stored cross site scripting in RSS displayer
Concrete CMS previously concrete5 before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized...
CVE-2023-28820
Concrete CMS previously concrete5 before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized...
CVE-2023-28820
Concrete CMS previously concrete5 before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized...