Filtered by vendor Concretecms
Subscriptions
Filtered by product Concrete Cms
Subscriptions
Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-43692 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 6.1 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2022-43691 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 5.3 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. | ||||
| CVE-2022-43690 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 6.3 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2022-43689 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 5.3 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. | ||||
| CVE-2022-43687 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 5.4 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2022-43686 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 6.5 Medium |
| In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). | ||||
| CVE-2022-43694 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 6.1 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | ||||
| CVE-2022-43693 | 1 Concretecms | 1 Concrete Cms | 2025-04-30 | 8.8 High |
| Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | ||||
| CVE-2024-1246 | 1 Concretecms | 1 Concrete Cms | 2025-04-24 | 2 Low |
| Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9. | ||||
| CVE-2022-43556 | 1 Concretecms | 1 Concrete Cms | 2025-04-24 | 6.1 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3. | ||||
| CVE-2015-4724 | 1 Concretecms | 1 Concrete Cms | 2025-04-20 | N/A |
| SQL injection vulnerability in Concrete5 5.7.3.1. | ||||
| CVE-2015-4721 | 1 Concretecms | 1 Concrete Cms | 2025-04-20 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1. | ||||
| CVE-2017-8082 | 1 Concretecms | 1 Concrete Cms | 2025-04-20 | N/A |
| concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide denial of service making the site not accessible to any users or any administrators. | ||||
| CVE-2017-7725 | 1 Concretecms | 1 Concrete Cms | 2025-04-20 | 6.1 Medium |
| concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any domain name in the Host header; this is stored and allows for arbitrary domains to be set for certain links displayed to subsequent visitors, potentially an XSS vector. | ||||
| CVE-2014-5108 | 2 Concrete5, Concretecms | 2 Concrete5, Concrete Cms | 2025-04-12 | N/A |
| Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file. | ||||
| CVE-2014-9526 | 2 Concrete5, Concretecms | 2 Concrete5, Concrete Cms | 2025-04-12 | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in single_pages/dashboard/users/groups/bulkupdate.php or (2) instance_id parameter in tools/dashboard/sitemap_drag_request.php. | ||||
| CVE-2014-5107 | 2 Concrete5, Concretecms | 2 Concrete5, Concrete Cms | 2025-04-12 | N/A |
| concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.php, (7) system/permissions/files.php, (8) system/permissions/tasks.php, (9) system/permissions/users.php, (10) system/seo/view.php, (11) view.php, (12) users/attributes.php, (13) scrapbook/view.php, (14) pages/attributes.php, (15) files/attributes.php, or (16) files/search.php in single_pages/dashboard/. | ||||
| CVE-2023-28820 | 1 Concretecms | 1 Concrete Cms | 2025-01-31 | 2 Low |
| Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. | ||||
| CVE-2023-28471 | 1 Concretecms | 1 Concrete Cms | 2025-01-31 | 5.4 Medium |
| Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name. | ||||
| CVE-2023-28821 | 1 Concretecms | 1 Concrete Cms | 2025-01-30 | 5.3 Medium |
| Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. | ||||