Concrete Cms@* Security Vulnerabilities and Issues — Concrete Cms@* CVE List

Lucene search

ConcretecmsConcrete Cms*

14 matches found

CVE•added 2023/11/17 4:15 a.m.•51 views

CVE-2023-48648

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when crea...

9.8CVSS9.3AI score0.00729EPSS

CVE•added 2023/10/06 1:15 p.m.•48 views

CVE-2023-44762

A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags.

5.4CVSS5.3AI score0.00219EPSS

CVE•added 2023/11/17 4:15 a.m.•41 views

CVE-2023-48649

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name.

5.4CVSS5.2AI score0.01256EPSS

CVE•added 2023/04/28 2:15 p.m.•38 views

CVE-2023-28471

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.

5.4CVSS5AI score0.00983EPSS

CVE•added 2023/04/28 2:15 p.m.•38 views

CVE-2023-28477

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.

5.5CVSS5.1AI score0.00703EPSS

CVE•added 2023/04/28 2:15 p.m.•34 views

CVE-2023-28472

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.

5.3CVSS5.3AI score0.00256EPSS

CVE•added 2023/04/28 2:15 p.m.•34 views

CVE-2023-28821

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

5.3CVSS5.3AI score0.00157EPSS

CVE•added 2023/04/28 2:15 p.m.•33 views

CVE-2023-28819

Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names.

5.4CVSS5.1AI score0.01823EPSS

CVE•added 2023/04/28 2:15 p.m.•32 views

CVE-2023-28473

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.

3.3CVSS4.1AI score0.00135EPSS

CVE•added 2023/04/28 2:15 p.m.•32 views

CVE-2023-28475

Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.

6.1CVSS5.9AI score0.01066EPSS

CVE•added 2023/04/28 2:15 p.m.•32 views

CVE-2023-28476

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.

5.4CVSS5.1AI score0.00983EPSS

CVE•added 2023/04/28 2:15 p.m.•30 views

CVE-2023-28820

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

5.4CVSS5.1AI score0.00502EPSS

CVE•added 2023/04/28 2:15 p.m.•29 views

CVE-2023-28474

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.

5.4CVSS5.1AI score0.00983EPSS

CVE•added 2023/12/25 8:15 a.m.•29 views

CVE-2023-48652

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated.

4.3CVSS4.6AI score0.00256EPSS