7 matches found
CVE-2021-22949
A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"...
Cross site request forgery (csrf)
A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"...
CVE-2021-22949
CVE-2021-22949 is a CSRF in Concrete CMS versions 8.5.5 and earlier that allows an attacker to duplicate files, causing UI issues and potential disk-space exhaustion. The root cause is cross-site request forgery affecting file-duplication functionality; no exploit details are provided beyond this...
GHSA-H76R-VGF3-J6W5 October CMS auth bypass and account takeover
Impact An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie. - To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing. - Due to the logic of how this mechanism works, a targeted user...
GHSA-MXR5-MC97-63RC Account Takeover in Octobercms
Impact An attacker can request an account password reset and then gain access to the account using a specially crafted request. - To exploit this vulnerability, an attacker must know the username of an administrator and have access to the password reset form. Patches - Issue has been patched in...
Concrete CMS: Authenticated path traversal to RCE
crayons Description The bFilename parameter in the scenario index.php/ccm/system/dialogs/block/design/submit is vulnerable to remote code execution via path traversal vulnerability. Authenticated attacker with rights to edit web application pages can upload malicious PNG file containing PHP code...
ImpressCMS: CSRF to XSS in /htdocs/modules/system/admin.php
The "admin.php" file in the "system" module of ImpressCMS version 1.4.2 was vulnerable to a Cross-Site Scripting XSS attack. This vulnerability allowed an attacker to execute malicious scripts in the context of an authorized user by exploiting a lack of input sanitization. The vulnerability was...