Concrete Cms Security Vulnerabilities and Issues — Concrete Cms CVE List

Lucene search

ConcretecmsConcrete Cms

19 matches found

CVE•added 2022/11/14 10:15 p.m.•77 views

CVE-2022-43686

In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).

6.5CVSS6.3AI score0.00203EPSS

CVE•added 2022/12/05 10:15 p.m.•72 views

CVE-2022-43556

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @akbar...

6.1CVSS6AI score0.01205EPSS

CVE•added 2022/11/14 11:15 p.m.•70 views

CVE-2022-43690

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.3CVSS6.4AI score0.00157EPSS

CVE•added 2022/06/24 3:15 p.m.•69 views

CVE-2022-30119

XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day ...

6.1CVSS6AI score0.00987EPSS

CVE•added 2017/04/13 5:59 p.m.•68 views

CVE-2017-7725

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any domain name in the Host header; this is stored an...

6.1CVSS6AI score0.04364EPSS

CVE•added 2022/11/14 10:15 p.m.•66 views

CVE-2022-43967

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.1CVSS5.9AI score0.00449EPSS

CVE•added 2022/11/14 7:15 p.m.•63 views

CVE-2022-43694

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.

6.1CVSS5.9AI score0.00449EPSS

CVE•added 2022/06/24 3:15 p.m.•61 views

CVE-2022-30120

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot ...

6.1CVSS6AI score0.0207EPSS

CVE•added 2022/11/14 10:15 p.m.•59 views

CVE-2022-43968

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.1CVSS5.9AI score0.00449EPSS

CVE•added 2022/11/14 7:15 p.m.•57 views

CVE-2022-43692

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1....

6.1CVSS5.9AI score0.00449EPSS

CVE•added 2022/06/24 3:15 p.m.•50 views

CVE-2022-30118

Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can...

6.1CVSS6AI score0.00987EPSS

CVE•added 2017/04/24 6:59 a.m.•42 views

CVE-2017-8082

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide deni...

6.5CVSS6.3AI score0.00208EPSS

CVE•added 2021/09/27 12:15 p.m.•36 views

CVE-2021-40105

An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments.

6.1CVSS6.1AI score0.00434EPSS

CVE•added 2017/09/07 8:29 p.m.•34 views

CVE-2015-4721

Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1.

6.1CVSS6.5AI score0.00223EPSS

CVE•added 2021/09/23 1:15 p.m.•34 views

CVE-2021-22950

Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"

6.5CVSS7AI score0.00104EPSS

CVE•added 2021/09/27 1:15 p.m.•34 views

CVE-2021-40109

A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents o...

6.4CVSS6.4AI score0.00099EPSS

CVE•added 2023/04/28 2:15 p.m.•32 views

CVE-2023-28475

Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.

6.1CVSS5.9AI score0.01066EPSS

CVE•added 2020/01/14 9:15 p.m.•30 views

CVE-2011-3183

A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.

6.1CVSS5.9AI score0.0024EPSS

CVE•added 2021/09/27 12:15 p.m.•27 views

CVE-2021-40106

An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.

6.1CVSS6.2AI score0.00547EPSS