Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Concrete_cms
(Concretecms)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 99 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-04-03 | CVE-2024-3181 | Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting | Concrete_cms | 4.8 | ||
| 2024-09-16 | CVE-2024-8661 | Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Since the... | Concrete_cms | 4.8 | ||
| 2020-06-22 | CVE-2020-14961 | Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value. | Concrete_cms | 5.3 | ||
| 2020-09-04 | CVE-2020-24986 | Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands. | Concrete_cms | 7.2 | ||
| 2021-01-08 | CVE-2021-3111 | The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI. | Concrete_cms | 4.8 | ||
| 2021-03-18 | CVE-2021-28145 | Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges. | Concrete_cms | 5.4 | ||
| 2021-07-30 | CVE-2021-36766 | Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/single_page/dashboard/system/environment/logging.php Logging::update_logging() method. User input passed through the logFile request parameter is not properly sanitized before being used in a call to the file_exists() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope (PHP Object Injection via phar:// stream wrapper),... | Concrete_cms | 7.2 | ||
| 2021-09-23 | CVE-2021-22949 | A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team" | Concrete_cms | 5.4 | ||
| 2021-09-23 | CVE-2021-22950 | Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team" | Concrete_cms | 6.5 | ||
| 2021-09-23 | CVE-2021-22953 | A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team" | Concrete_cms | 5.4 |