Concrete Cms Security Vulnerabilities and Issues — Concrete Cms CVE List

Lucene search

ConcretecmsConcrete Cms

12 matches found

CVE•added 2022/11/14 10:15 p.m.•77 views

CVE-2022-43686

In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).

6.5CVSS6.3AI score0.00203EPSS

CVE•added 2022/11/14 11:15 p.m.•72 views

CVE-2022-43689

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.

5.3CVSS5.1AI score0.00211EPSS

CVE•added 2022/11/14 11:15 p.m.•70 views

CVE-2022-43690

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.3CVSS6.4AI score0.00157EPSS

CVE•added 2022/11/14 11:15 p.m.•69 views

CVE-2022-43687

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

5.4CVSS5.4AI score0.00282EPSS

CVE•added 2022/11/14 5:15 p.m.•66 views

CVE-2022-43693

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.

8.8CVSS8.8AI score0.00478EPSS

CVE•added 2022/11/14 10:15 p.m.•66 views

CVE-2022-43967

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.1CVSS5.9AI score0.00449EPSS

CVE•added 2022/11/14 11:15 p.m.•64 views

CVE-2022-43691

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

5.3CVSS5.1AI score0.00129EPSS

CVE•added 2022/11/14 7:15 p.m.•63 views

CVE-2022-43694

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.

6.1CVSS5.9AI score0.00449EPSS

CVE•added 2022/11/14 11:15 p.m.•61 views

CVE-2022-43688

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

4.8CVSS4.7AI score0.00193EPSS

CVE•added 2022/11/14 10:15 p.m.•59 views

CVE-2022-43968

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.1CVSS5.9AI score0.00449EPSS

CVE•added 2022/11/14 7:15 p.m.•57 views

CVE-2022-43692

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1....

6.1CVSS5.9AI score0.00449EPSS

CVE•added 2022/11/14 11:15 p.m.•49 views

CVE-2022-43695

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it ...

4.8CVSS4.7AI score0.0044EPSS