Lucene search

K

84 matches found

CVE
CVE
added 2020/09/04 8:15 p.m.38 views

CVE-2020-24986

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.

9CVSS7.2AI score0.00983EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.38 views

CVE-2023-28471

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.

5.4CVSS5AI score0.00983EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.38 views

CVE-2023-28477

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.

5.5CVSS5.1AI score0.00703EPSS
CVE
CVE
added 2024/04/03 7:15 p.m.38 views

CVE-2024-3180

Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vul...

4.8CVSS3.7AI score0.00104EPSS
CVE
CVE
added 2024/08/01 7:15 p.m.38 views

CVE-2024-4353

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard boardinstance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject maliciousJavaScript code. The Concrete C...

4.8CVSS4.8AI score0.00118EPSS
CVE
CVE
added 2021/09/27 12:15 p.m.36 views

CVE-2021-40105

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments.

6.1CVSS6.1AI score0.00434EPSS
CVE
CVE
added 2024/09/16 6:15 p.m.36 views

CVE-2024-8661

Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 w...

4.8CVSS5.5AI score0.00173EPSS
CVE
CVE
added 2024/09/25 1:15 a.m.35 views

CVE-2024-7398

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with perm...

5.4CVSS5.3AI score0.00048EPSS
CVE
CVE
added 2024/09/17 7:15 p.m.35 views

CVE-2024-8660

Concrete CMS versions 9.0.0 through 9.3.3 are affected by astored XSS vulnerability in the "Top Navigator Bar" block.Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home p...

4.8CVSS4.8AI score0.00129EPSS
CVE
CVE
added 2021/09/23 1:15 p.m.34 views

CVE-2021-22950

Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"

6.5CVSS7AI score0.00104EPSS
CVE
CVE
added 2021/09/27 1:15 p.m.34 views

CVE-2021-40109

A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents o...

6.4CVSS6.4AI score0.00099EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.34 views

CVE-2023-28472

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.

5.3CVSS5.3AI score0.00256EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.34 views

CVE-2023-28821

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

5.3CVSS5.3AI score0.00157EPSS
CVE
CVE
added 2021/09/23 1:15 p.m.33 views

CVE-2021-22953

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"

5.8CVSS6.4AI score0.00094EPSS
CVE
CVE
added 2021/09/27 12:15 p.m.33 views

CVE-2021-40098

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression.

9.8CVSS9.3AI score0.0051EPSS
CVE
CVE
added 2021/09/27 12:15 p.m.33 views

CVE-2021-40104

An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.

7.5CVSS7.6AI score0.00381EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.33 views

CVE-2023-28819

Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names.

5.4CVSS5.1AI score0.01823EPSS
CVE
CVE
added 2024/02/09 8:15 p.m.33 views

CVE-2024-1246

Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the websit...

4.8CVSS5AI score0.00425EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.32 views

CVE-2023-28473

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.

3.3CVSS4.1AI score0.00135EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.32 views

CVE-2023-28475

Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.

6.1CVSS5.9AI score0.01066EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.32 views

CVE-2023-28476

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.

5.4CVSS5.1AI score0.00983EPSS
CVE
CVE
added 2021/09/27 12:15 p.m.31 views

CVE-2021-40103

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF.

7.5CVSS7.9AI score0.00396EPSS
CVE
CVE
added 2020/01/14 9:15 p.m.30 views

CVE-2011-3183

A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.

6.1CVSS5.9AI score0.0024EPSS
CVE
CVE
added 2021/09/23 1:15 p.m.30 views

CVE-2021-22949

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"

5.8CVSS6.4AI score0.00094EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.30 views

CVE-2023-28820

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

5.4CVSS5.1AI score0.00502EPSS
CVE
CVE
added 2024/02/29 1:41 a.m.30 views

CVE-2023-49337

Concrete CMS before 9.2.3 allows Stored XSS on the Admin Dashboard via /dashboard/system/basics/name. (8.5 and earlier are unaffected.)

4.8CVSS3.4AI score0.00457EPSS
CVE
CVE
added 2021/11/30 8:15 p.m.29 views

CVE-2021-40101

An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.

7.2CVSS7.1AI score0.09143EPSS
CVE
CVE
added 2023/04/28 2:15 p.m.29 views

CVE-2023-28474

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.

5.4CVSS5.1AI score0.00983EPSS
CVE
CVE
added 2023/12/25 8:15 a.m.29 views

CVE-2023-48652

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated.

4.3CVSS4.6AI score0.00256EPSS
CVE
CVE
added 2024/02/09 8:15 p.m.28 views

CVE-2024-1245

Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes...

4.8CVSS4.9AI score0.00554EPSS
CVE
CVE
added 2021/09/27 12:15 p.m.27 views

CVE-2021-40106

An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.

6.1CVSS6.2AI score0.00547EPSS
CVE
CVE
added 2024/02/29 1:41 a.m.25 views

CVE-2023-48651

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) at /ccm/system/dialogs/file/delete/1/submit.

4.3CVSS6.8AI score0.00643EPSS
CVE
CVE
added 2024/02/29 1:41 a.m.21 views

CVE-2023-48653

Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential.

4.3CVSS6.7AI score0.00643EPSS
CVE
CVE
added 2024/02/29 1:41 a.m.19 views

CVE-2023-48650

Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name.

4.8CVSS5.6AI score0.01115EPSS
Total number of security vulnerabilities84