Concrete Cms Security Vulnerabilities and Issues — Concrete Cms CVE List

Lucene search

ConcretecmsConcrete Cms

10 matches found

CVE•added 2021/07/30 2:15 p.m.•81 views

CVE-2021-36766

Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/single_page/dashboard/system/environment/logging.php Logging::update_logging() method. User input passed through the logFile request parameter is not properly sanitized before being used in a ...

7.2CVSS7.1AI score0.01442EPSS

CVE•added 2021/11/19 7:15 p.m.•72 views

CVE-2021-22968

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored...

7.2CVSS7.5AI score0.02529EPSS

CVE•added 2021/11/19 7:15 p.m.•70 views

CVE-2021-22951

Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigation...

7.5CVSS7.6AI score0.00276EPSS

CVE•added 2021/11/19 7:15 p.m.•53 views

CVE-2021-22970

Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SS...

7.5CVSS7.4AI score0.0033EPSS

CVE•added 2021/09/24 3:15 p.m.•52 views

CVE-2021-40099

An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.

7.2CVSS7.5AI score0.02961EPSS

CVE•added 2021/11/19 7:15 p.m.•47 views

CVE-2021-22967

In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit messa...

7.5CVSS7.4AI score0.0061EPSS

CVE•added 2018/07/09 8:29 p.m.•38 views

CVE-2018-13790

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page.

7.2CVSS6.8AI score0.00353EPSS

CVE•added 2021/09/27 12:15 p.m.•33 views

CVE-2021-40104

An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.

7.5CVSS7.6AI score0.00166EPSS

CVE•added 2021/09/27 12:15 p.m.•31 views

CVE-2021-40103

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF.

7.5CVSS7.9AI score0.00428EPSS

CVE•added 2021/11/30 8:15 p.m.•29 views

CVE-2021-40101

An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.

7.2CVSS7.1AI score0.10306EPSS