A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.
6.1CVSS
5.9AI Score
0.001EPSS
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.
7.2CVSS
6.8AI Score
0.003EPSS
Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value.
5.3CVSS
5.4AI Score
0.001EPSS
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.
7.2CVSS
7.2AI Score
0.001EPSS