Concrete Cms Security Vulnerabilities and Issues — Concrete Cms CVE List

Lucene search

ConcretecmsConcrete Cms

7 matches found

CVE•added 2021/11/19 7:15 p.m.•72 views

CVE-2021-22968

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored...

7.2CVSS7.5AI score0.02666EPSS

CVE•added 2021/11/19 7:15 p.m.•70 views

CVE-2021-22951

Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigation...

7.5CVSS7.6AI score0.00314EPSS

CVE•added 2021/11/19 7:15 p.m.•54 views

CVE-2021-22969

Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading...

5.3CVSS5.5AI score0.00268EPSS

CVE•added 2021/11/19 7:15 p.m.•53 views

CVE-2021-22970

Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SS...

7.5CVSS7.4AI score0.00386EPSS

CVE•added 2021/11/19 7:15 p.m.•50 views

CVE-2021-22966

Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissi...

8.8CVSS8.8AI score0.00267EPSS

CVE•added 2021/11/19 7:15 p.m.•47 views

CVE-2021-22967

In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit messa...

7.5CVSS7.4AI score0.00747EPSS

CVE•added 2021/11/30 8:15 p.m.•29 views

CVE-2021-40101

An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.

7.2CVSS7.1AI score0.09143EPSS