Concrete Cms Security Vulnerabilities and Issues — Page 2 of Concrete Cms CVE List

Lucene search

ConcretecmsConcrete Cms

99 matches found

CVE•added 2024/09/25 1:15 a.m.•44 views

CVE-2024-8291

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first.org/cvss/calculator/4...

5.1CVSS5AI score0.00143EPSS

CVE•added 2023/10/06 1:15 p.m.•43 views

CVE-2023-44761

Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.

5.4CVSS5.5AI score0.00298EPSS

CVE•added 2024/02/09 7:15 p.m.•43 views

CVE-2024-1247

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affec...

4.8CVSS5AI score0.07015EPSS

CVE•added 2024/08/08 5:15 p.m.•43 views

CVE-2024-7394

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:N/PR:H...

4.8CVSS4.8AI score0.00276EPSS

CVE•added 2017/04/24 6:59 a.m.•42 views

CVE-2017-8082

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide deni...

6.5CVSS6.3AI score0.00208EPSS

CVE•added 2024/08/12 1:38 p.m.•42 views

CVE-2024-4350

Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave th...

5.1CVSS5AI score0.00261EPSS

CVE•added 2014/07/28 3:55 p.m.•41 views

CVE-2014-5108

Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file.

4.3CVSS5.9AI score0.00479EPSS

CVE•added 2023/11/17 4:15 a.m.•41 views

CVE-2023-48649

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.

5.4CVSS5.2AI score0.01256EPSS

CVE•added 2023/10/06 1:15 p.m.•40 views

CVE-2023-44765

A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.

5.4CVSS5.3AI score0.00298EPSS

CVE•added 2018/07/09 8:29 p.m.•38 views

CVE-2018-13790

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page.

7.2CVSS6.8AI score0.00353EPSS

CVE•added 2020/09/04 8:15 p.m.•38 views

CVE-2020-24986

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.

9CVSS7.2AI score0.00983EPSS

CVE•added 2023/04/28 2:15 p.m.•38 views

CVE-2023-28471

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.

5.4CVSS5AI score0.00983EPSS

CVE•added 2023/04/28 2:15 p.m.•38 views

CVE-2023-28477

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.

5.5CVSS5.1AI score0.00703EPSS

CVE•added 2024/04/03 7:15 p.m.•38 views

CVE-2024-3180

Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vul...

4.8CVSS3.7AI score0.00104EPSS

CVE•added 2024/08/01 7:15 p.m.•38 views

CVE-2024-4353

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard boardinstance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject maliciousJavaScript code. The Concrete C...

4.8CVSS4.8AI score0.00118EPSS

CVE•added 2014/07/28 3:55 p.m.•37 views

CVE-2014-5107

concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.p...

5CVSS6.8AI score0.0139EPSS

CVE•added 2015/01/05 9:59 p.m.•37 views

CVE-2014-9526

Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in single_pages/dashboard/users/groups/bulkupdate.php or (2) instance_id parameter in tools/dashboard/sitemap_drag_r...

4.3CVSS5.9AI score0.00373EPSS

CVE•added 2017/09/07 8:29 p.m.•37 views

CVE-2015-4724

SQL injection vulnerability in Concrete5 5.7.3.1.

8.8CVSS9AI score0.00216EPSS

CVE•added 2021/09/27 12:15 p.m.•36 views

CVE-2021-40105

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments.

6.1CVSS6.1AI score0.00434EPSS

CVE•added 2023/10/06 1:15 p.m.•36 views

CVE-2023-44764

A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings).

5.4CVSS5.2AI score0.00214EPSS

CVE•added 2024/09/16 6:15 p.m.•36 views

CVE-2024-8661

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 w...

4.8CVSS5.5AI score0.00173EPSS

CVE•added 2024/09/25 1:15 a.m.•35 views

CVE-2024-7398

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with perm...

5.4CVSS5.3AI score0.00041EPSS

CVE•added 2024/09/17 7:15 p.m.•35 views

CVE-2024-8660

Concrete CMS versions 9.0.0 through 9.3.3 are affected by astored XSS vulnerability in the "Top Navigator Bar" block.Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home p...

4.8CVSS4.8AI score0.00129EPSS

CVE•added 2017/09/07 8:29 p.m.•34 views

CVE-2015-4721

Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1.

6.1CVSS6.5AI score0.00223EPSS

CVE•added 2021/09/23 1:15 p.m.•34 views

CVE-2021-22950

Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"

6.5CVSS7AI score0.00104EPSS

CVE•added 2021/09/27 1:15 p.m.•34 views

CVE-2021-40109

A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents o...

6.4CVSS6.4AI score0.00099EPSS

CVE•added 2023/04/28 2:15 p.m.•34 views

CVE-2023-28472

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.

5.3CVSS5.3AI score0.00256EPSS

CVE•added 2023/04/28 2:15 p.m.•34 views

CVE-2023-28821

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

5.3CVSS5.3AI score0.00157EPSS

CVE•added 2021/09/23 1:15 p.m.•33 views

CVE-2021-22953

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"

5.8CVSS6.4AI score0.00094EPSS

CVE•added 2021/09/27 12:15 p.m.•33 views

CVE-2021-40104

An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.

7.5CVSS7.6AI score0.00381EPSS

CVE•added 2023/04/28 2:15 p.m.•33 views

CVE-2023-28819

Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names.

5.4CVSS5.1AI score0.01823EPSS

CVE•added 2024/02/09 8:15 p.m.•33 views

CVE-2024-1246

Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the websit...

4.8CVSS5AI score0.00425EPSS

CVE•added 2021/09/27 12:15 p.m.•32 views

CVE-2021-40098

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression.

9.8CVSS9.3AI score0.0051EPSS

CVE•added 2023/04/28 2:15 p.m.•32 views

CVE-2023-28473

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.

3.3CVSS4.1AI score0.00135EPSS

CVE•added 2023/04/28 2:15 p.m.•32 views

CVE-2023-28475

Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.

6.1CVSS5.9AI score0.01066EPSS

CVE•added 2023/04/28 2:15 p.m.•32 views

CVE-2023-28476

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.

5.4CVSS5.1AI score0.00983EPSS

CVE•added 2021/09/27 12:15 p.m.•31 views

CVE-2021-40103

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF.

7.5CVSS7.9AI score0.00396EPSS

CVE•added 2020/01/14 9:15 p.m.•30 views

CVE-2011-3183

A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2021/09/23 1:15 p.m.•30 views

CVE-2021-22949

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"

5.8CVSS6.4AI score0.00094EPSS

CVE•added 2023/04/28 2:15 p.m.•30 views

CVE-2023-28820

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

5.4CVSS5.1AI score0.00502EPSS

CVE•added 2024/02/29 1:41 a.m.•30 views

CVE-2023-49337

Concrete CMS before 9.2.3 allows Stored XSS on the Admin Dashboard via /dashboard/system/basics/name. (8.5 and earlier are unaffected.)

4.8CVSS3.4AI score0.00457EPSS

CVE•added 2021/11/30 8:15 p.m.•29 views

CVE-2021-40101

An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.

7.2CVSS7.1AI score0.09143EPSS

CVE•added 2023/04/28 2:15 p.m.•29 views

CVE-2023-28474

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.

5.4CVSS5.1AI score0.00983EPSS

CVE•added 2023/12/25 8:15 a.m.•29 views

CVE-2023-48652

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated.

4.3CVSS4.6AI score0.00256EPSS

CVE•added 2024/02/09 8:15 p.m.•28 views

CVE-2024-1245

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes...

4.8CVSS4.9AI score0.00554EPSS

CVE•added 2021/09/27 12:15 p.m.•27 views

CVE-2021-40106

An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.

6.1CVSS6.2AI score0.00547EPSS

CVE•added 2024/02/29 1:41 a.m.•25 views

CVE-2023-48651

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) at /ccm/system/dialogs/file/delete/1/submit.

4.3CVSS6.8AI score0.00643EPSS

CVE•added 2024/02/29 1:41 a.m.•21 views

CVE-2023-48653

Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.

4.3CVSS6.7AI score0.00643EPSS

CVE•added 2024/02/29 1:41 a.m.•19 views

CVE-2023-48650

Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name.

4.8CVSS5.6AI score0.01115EPSS

Total number of security vulnerabilities99