A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | AD | AE | AF | AG | AH | AI | AJ | AK | AL | AM | AN | AO | AP | AQ | AR | AS | AT | AU | AV | AW | AX | AY | AZ | BA | BB | BC | BD | BE | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 | Concrete CMS DISCLOSED CVEs | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 | last updated date: 2024-11-12 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 | Affected Versions | CVE | MITRE Title | Concrete Team Information | CVSS v4 Score | CVSS v3.1 Score | Credit | Date Disclosed by Concrete | Date Published by NVD | Disputed Date | ||||||||||||||||||||||||||||||||||||||||||||||||
5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 | Concrete Team | NIST | ConcreteTeam CVSS v4 vector | NIST CVSS v4 vector | Concrete Team | NIST | ConcreteTeam CVSS | NIST CVSS | ||||||||||||||||||||||||||||||||||||||||||||||||||
7 | Concrete below 9.3.6 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 | Concrete below 9.3.6 | no CVE - for informational purposes only | See Concrete Team information - Concrete CMS is now a CNA | Concrete below 9.3.6 does not automatically set security headers for cached pages. Security headers have to be set manually in .htaccess or in the apache / nginx settings | 0 | N/A - Security Updates are not assessed | None | N/A | 0 | 0 | None | None | Hissy | 2024-11-05 | N/A | |||||||||||||||||||||||||||||||||||||||||||
9 | Concrete below 9.3.4 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
10 | Concrete below 9.3.4 | CVE-2024-8660 | N/A - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 through 9.3.4 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block.Since the "Top Navigator Bar" output was not sufficiently sanitized, a rouge administrator could add a malicious payload that could be executed when targeted users visited the home page.This does not affect versions below 9.0.0 since they do not have the Top Navigation Bar Block. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Chu Quoc Khanh (k0i3n) | 2024-09-17 | 2024-09-17 | |||||||||||||||||||||||||||||||||||||||||||
11 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
12 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-8661 | N/A - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.18 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | N/A | N/A | N/A | Chu Quoc Khanh (k0i3n) | 2024-09-16 | 2024-09-16 | |||||||||||||||||||||||||||||||||||||||||||
13 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-7398 | N/A - Concrete CMS is now a CNA | Concrete version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. | 1.8 | pending | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 5.4 | N/A | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Yusuke Uchida | 2024-09-24 | 2024-09-24 | |||||||||||||||||||||||||||||||||||||||||||
14 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-8291 | N/A - Concrete CMS is now a CNA | Concrete CMS version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add Type. | 2.1 | pending | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Alexey Solovyev (solov9ev) | 2024-09-24 | 2024-09-24 | |||||||||||||||||||||||||||||||||||||||||||
15 | Concrete 9 to 9.3.3 and versions below 8.5.19 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
16 | Concrete 9 to 9.3.3 and versions below 8.5.19 | CVE-2024-8291 | N/A | Concrete version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. | 2.1 | pending | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A - CVSS v3.2 Obsolete | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Alexey Solovyev | 08-10-2024 | 2024-08-10 | |||||||||||||||||||||||||||||||||||||||||||
17 | Concrete 9 to 9.3.3 and versions below 8.5.19 | CVE-2024-7398 | N/A | Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Calendar Event Addition Feature. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. | 1.8 | pending | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 5.4 | N/A | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Yusuke Uchida | 2024-08-10 | 2024-08-10 | |||||||||||||||||||||||||||||||||||||||||||
18 | Concrete below 9.3.3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 | Concrete below 9.3.3 | no CVE - for informational purposes only | N/A | Concrete CMS version 9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a login request is using https by default. This is in line with industry best practice. If a site is served over http:// and the guest uses http:// to log in, the CONCRETE cookie will not have the Secure flag applied so that the site is usable. Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Since this is a configuration setting, no CVE is being issued. | 0 | N/A - Security Updates are not assessed | None | N/A | 0 | N/A | None | N/A | Yusuke Uchida | 2024-08-08 | 2024-08-08 | |||||||||||||||||||||||||||||||||||||||||||
20 | Concrete 9 to 9.3.2 and versions below 8.5.18 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
21 | Concrete 9 to 9.3.2 and versions below 8.5.18 | CVE-2024-4350 | N/A - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. | 2.1 | pending | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | 3.0 | pending | AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N | CVSS v3.1 deprecated | m3dium | 2024-08-08 | 2024-08-12 | |||||||||||||||||||||||||||||||||||||||||||
22 | Concrete 9 to 9.3.2 and versions below 8.5.18 | CVE-2024-7394 | N/A- Concrete CMS is now a CNA | Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS ingetAttributeSetName(). A rogue administrator could inject malicious code. | 1.8 | pending | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | 2.0 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | CVSS v3.1 deprecated | m3dium | 2024-08-08 | 2024-08-08 | |||||||||||||||||||||||||||||||||||||||||||
23 | Concrete 9 to 9.3.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
24 | Concrete 9 to 9.3.2 (versions below 9 not affected) | CVE-2024-4353 | N/A - Concrete CMS is now a CNA | Stored XSS in Generate Board Name Input Field : Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. | 1.8 | pending | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | 3.1 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS v3.1 deprecated | fhAnso | 2024-08-01 | 2024-08-01 | |||||||||||||||||||||||||||||||||||||||||||
25 | Concrete 9 to 9.3.2 (versions below 9 not affected) | CVE-2024-7512 | N/A- Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. | 1.8 | pending | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | 2.6 | pending | AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N | CVSS v3.1 deprecated | m3dium | 2024-08-09 | 2024-08-12 | |||||||||||||||||||||||||||||||||||||||||||
26 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
27 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | CVE-2024-3180 | N/A- Concrete CMS is now a CNA | Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Prior to fix, stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. | N/A | N/A | N/A | N/A | 3.1 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L | CVSS v3.1 deprecated | Alexey Solovyev | 2024-03-04 | 2024-04-03 | |||||||||||||||||||||||||||||||||||||||||||
28 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | CVE-2024-3181 | N/A- Concrete CMS is now a CNA | Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. | N/A | N/A | N/A | N/A | 3.1 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L | CVSS v3.1 deprecated | Alexey Solovyev | 2024-04-03 | 2024-04-03 | |||||||||||||||||||||||||||||||||||||||||||
29 | Concrete 9 to 9.2.6 (versions below 9 not affected) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
30 | Concrete 9 to 9.2.6 | CVE-2024-2179 | Same as Concrete. Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. | N/A | N/A | N/A | N/A | 2.2 | pending | AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N | Luca Fuda | 2024-03-05 | 2024-03-05 | ||||||||||||||||||||||||||||||||||||||||||||
31 | Concrete 9 to 9.2.5 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
32 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1245 | Same as Concrete. Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. | N/A | N/A | N/A | N/A | 2.4 | 4.8 | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N | Poto Gabor | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||
33 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1246 | Same as Concrete. Concrete CMS is now a CNA | Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. This does not affect Concrete versions prior to version 9. | N/A | N/A | N/A | N/A | 2 | 4.8 | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | cupc4k3 | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||
34 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1247 | Same as Concrete. Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. Concrete versions below 9 do not include group types so they are not affected by this vulnerability. | N/A | N/A | N/A | N/A | 2 | 4.8 | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | cupc4k3 | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||
35 | Concrete 9.2.0 through 9.2.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
36 | Concrete 9.2.0 through 9.2.2 | CVE-2023-44762 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags | A Cross Site Scripting (XSS) vulnerability in Concrete CMS version 9.2 through 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tag. The file this touches is in Bedrock, using a custom library the project wrote for version 9.2.0. | N/A | N/A | N/A | N/A | did not rank. Found in wild. | 5.4 | did not rank. Found in wild. | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Did not communicate with Concrete | Found in wild. | 2023-10-06 | N/A | ||||||||||||||||||||||||||||||||||||||||||
37 | Concrete 9 to 9.2.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
38 | Concrete 9 to 9.2.2 | CVE-2023-44764 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SITE parameter from installation or in the Settings. MITRE TO BE ASKED TO UPDATE AFFECTED VERSIONS. | A Cross Site Scripting (XSS) vulnerability in Concrete CMS 9.0.0 through 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the SITE parameter from installation or in the Settings. | N/A | N/A | N/A | N/A | did not rank. Found in wild. | 5.4 | did not rank. Found in wild. | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Did not communicate with Concrete | Found in wild. | 2023-10-06 | N/A | ||||||||||||||||||||||||||||||||||||||||||
39 | Concrete 9 to 9.2.2 | CVE-2023-48652 | Concrete CMS 9 before 9.2.3 is vulnerable to Cross-Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated. | CSRF to delete report logs is present in is present at `/ccm/system/dialogs/logs/delete_all/submit | N/A | N/A | N/A | N/A | 6.3 | 4.3 | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Veshraj Ghimire | 2023-12-25 | 2023-12-25 | |||||||||||||||||||||||||||||||||||||||||||
40 | Concrete 9 to 9.2.2 | CVE-2023-48651 | Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF)at /ccm/system/dialogs/file/delete/1/submit. | Cross Site Request Forgery (CSRF) [bypass] to delete any files 3 vulnerability is present at /ccm/system/dialogs/file/delete/1/submit | N/A | N/A | N/A | N/A | 4.3 | pending | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L | pending | Veshraj Ghimire | 2023-12-25 | 2024-02-28 | |||||||||||||||||||||||||||||||||||||||||||
41 | Concrete 9 to 9.2.2 | CVE-2023-49337 | Concrete CMS before 9.2.3 allows Stored XSS on the Admin Dashboard via /dashboard/system/basics/name. (8.5 and earlier are unaffected.) | Stored XSS on admin dashboard via /dashboard/system/basics/name | N/A | N/A | N/A | N/A | 2.4 | 2.4 | AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N | AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N | Ramshath MM | 2023-12-25 | 2023-12-25 | |||||||||||||||||||||||||||||||||||||||||||
42 | Concrete 9 to 9.2.2, Concrete 8 below 8.5.14 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
43 | Concrete 9 to 9.2.2, Concrete 8 below 8.5.14 | CVE-2023-48653 | Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential. | Cross Site Request Forgery (CSRF) vulnerability is present at` ccm/calendar/dialogs/event/delete/submit | N/A | N/A | N/A | N/A | 4.3 | pending | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | pending | Veshraj Ghimire | 2023-12-25 | 2024-02-28 | |||||||||||||||||||||||||||||||||||||||||||
44 | Concrete 9 to 9.2.2, Concrete 8 below 8.5.14 | CVE-2023-48650 | Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name. | Stored XSS in Layout Preset name | N/A | N/A | N/A | N/A | 3.5 | pending | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N | pending | Solar Security CMS Research | 2023-12-25 | 2024-02-28 | |||||||||||||||||||||||||||||||||||||||||||
45 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
46 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | CVE-2023-48648 | Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified. | Concrete 8.5.12 and below and Concrete 9.0.0 through 9.2.1 are vulnerable to unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified. | N/A | N/A | N/A | N/A | 5.3 | 9.8 | [AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H] | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Mlocati for fixing tahabiyikli-vortex for reporting | 2023-11-17 | 2023-11-16 | |||||||||||||||||||||||||||||||||||||||||||
47 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | CVE-2023-48649 | Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name | Concrete 8.5.12 and below and Concrete 9.0.0 through 9.2.1 are vulnerable to stored XSS on the Concrete Admin page. Prior to fix there was no sanitation on uploaded file names. Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N @akbar_jafarli reported H1 2149479. Fixed in commit https://github.com/concretecms/concretecms/pull/11695 in Concrete 9.2.2 and in commit https://github.com/concretecms/concretecms/pull/11739 for Concrete 8.5.13. | N/A | N/A | N/A | N/A | 3.5 | 5.4 | [AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N] | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Akbar Jafarli | 2023-12-25 | 2023-11-16 | |||||||||||||||||||||||||||||||||||||||||||
48 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | CVE-2023-44761 | Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. IN COMMUNICATION WITH MITRE TO UPDATE AFFECTED VERSIONS. | Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS 9.0.0 through 9.2.1 and below 8.5.13 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | did not rank - found in the wild | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-06 | ||||||||||||||||||||||||||||||||||||||||||||
49 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | CVE-2023-44765 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings. | A Cross Site Scripting (XSS) vulnerability in Concrete CMS 9.0.0 through 9.2.1 and below 8.5.13 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | did not rank - found in the wild | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-06 | ||||||||||||||||||||||||||||||||||||||||||||
50 | Concrete 9.2.1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
51 | CONCRETE CMS DISPUTES | CVE-2023-44763 | Concrete CMS v9.2.1 is affected by Arbitrary File Upload vulnerability via the Thumbnail" file upload, which allows Cross-Site Scripting (XSS). | disputing with MITRE. Asking for it to be removed. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | n/a | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-10 | 2023-10-25 | |||||||||||||||||||||||||||||||||||||||||||
52 | CONCRETE CMS DISPUTES | CVE-2023-44760 | Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. | disputing with MITRE. Asking for it to be removed. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | n/a | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-23 | 2023-10-30 | |||||||||||||||||||||||||||||||||||||||||||
53 | CONCRETE CMS DISPUTES | CVE-2023-44766 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. | disputing with MITRE. Asking for it to be removed. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | n/a | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-06 | 2023-11-16 | |||||||||||||||||||||||||||||||||||||||||||
54 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
55 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | CVE-2023-28472 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. | Concrete CMS (previously concrete5) below 9.0.0 through 9.13 and below 8.5.13 does not have Secure and HTTP only attributes set for ccmPoll cookies. [CVE Update required: updating the Survey Block Controller. We added support for the concrete.session.cookie.cookie_secure value to the ccmPoll cookie (which developers can set to true if they want to use secure cookies. ] | N/A | N/A | N/A | N/A | 3.4 | 5.3 | AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2023-04-20 | 2023-04-28 | ||||||||||||||||||||||||||||||||||||||||||||
56 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | CVE-2023-28473 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. | Concrete CMS (previously concrete5) 9.0.0 through 9.1.3 and below 8.5.1 s vulnerable to possible Auth bypass in the jobs section. | N/A | N/A | N/A | N/A | 2.2 | 3.3 | AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L | Fortbridge (Adrian Tiron) | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||
57 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | CVE-2023-28475 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. | Concrete CMS (previously concrete5) 9.0.0 through 9.1.3 and below 8.5.13 is vulnerable to Reflected XSS on the Reply form since msgID was not sanitized. | N/A | N/A | N/A | N/A | 4.2 | 6.1 | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Bogdan Tiron) | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||
58 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | CVE-2023-28477 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. | Concrete CMS (previously concrete5) below 9.0.0 through 9.13 and below 8.5.13 is vulnerable to stored XSS on API Integrations via the name parameter. Prior to the fix, while adding API Integrations on Concrete CMS, the parameter name accepted special characters enabling malicious JavaScript payloads impacting /dashboard/system/api/integrations and /dashboard/system/api/integrations/view_client/unique-id. | N/A | N/A | N/A | N/A | 5.5 | 5.5 | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N | Veshraj Ghimire | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||
59 | Concrete 9 below 9.2 (Does NOT affect Concrete 8.5 and below) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
60 | 9.0-9.1.3 | CVE-2023-28471 | Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS via a container name.MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS. | Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on container name. Prior to fix, there was no sanitization on the container name.Concrete versions below 9 do not use containers. | N/A | N/A | N/A | N/A | 2 | 5.4 | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Ashim Chapagain | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||
61 | 9.0-9.1.3 | CVE-2023-28474 | Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Saved Presets on search MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS. | Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on Saved Preset. Prior to fix, there was no sanitation when saving presets on search. It was a bug that was introduced in version 9.0.0 | N/A | N/A | N/A | N/A | 3.5 | 5.4 | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Veshraj Ghimire | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||
62 | 9.0-9.1.3 | CVE-2023-28476 | Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Tags on uploaded files. MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS. | Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on Tags. Prior to fix there was no sanitation when adding tags on uploaded files. The file details page does not exist in the Concrete Dashboard below version 9.0.0 | N/A | N/A | N/A | N/A | 4.5 | 5.4 | AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Veshraj Ghimire, Ashim Chapagain | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||
63 | Concrete 9 below 9.1.0 Concrete 8 below 8.5.13 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
64 | Concrete below 9.1.0 Concreate 8 below 8.5.13 | CVE-2023-28819 | Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names. MITRE HAS CONFIRMED THEY ARE UPDATING AFFECTED VERSIONS. | Concrete CMS (previously concrete5) 9.0.0 though 9.1 and Concrete CMS 8.5.12 and below is vulnerable to Stored XSS in uploaded file and folder names since Concrete CMS was rendering data without sanitizing it. | 3.5 | 5.4 | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | solov9ev | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||||
65 | Concrete below 9.1.0 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
66 | Concrete below 9.1.0 | CVE-2023-28820 | Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. | Concrete CMS (previously concrete5) below 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute since the link element input was not sanitized. | 2 | 5.4 | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Anna | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||||
67 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
68 | Concrete below 9.1.0 | CVE-2023-28821 | Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. | Concrete CMS (previously concrete5) below 9.1 did not have a rate limit on reset password. The fix relies on a completely new library added to version 9 which is not in version 8. | 5.3 | 5.3 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | @0x0002 | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||||
69 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
70 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43693 | Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth and is only exploitable if the attacker knows the oauth client secret AND the oauth client is set up without a redirect url which isn’t possible in v9. Systems which use the Employee Portal PIV authentication are NOT vulnerable to this CVE. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ | 6.8 | 8.8 | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | na | x | x | Added state parameter to external concrete authentication service | 9.1.3 https://github.com/concretecms/concretecms/commit/e9131da39113535856f44b7fb1484002b2f61c30 8.5.x https://github.com/concretecms/concretecms/commit/3834239002502a20f5effee2b09c9f35f4980a78 | ||||||||||||||||||||||||||||||||||||||||||
71 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43692 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if that administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 6.4 | 6.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | Prevent browser blocked reflected XSS in dashboard search pages | 9.1.3 https://github.com/concretecms/concretecms/commit/5e353be6a12764dbc2338246f2c1b6058cdfd037 8.5.x https://github.com/concretecms/concretecms/commit/0bd65388e5a6d455d8b2469fc166f1b6fdf1abbb | |||||||||||||||||||||||||||||||||||||||||||
72 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43694 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 5.9 | 6.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page | develop https://github.com/concretecms/concretecms/pull/11002 commit 377f387abc 9.1.3 https://github.com/concretecms/concretecms/commit/2cf75469cfef0699618ab9436049dec33aa8ad15 8.5.x https://github.com/concretecms/concretecms/commit/252c38ccff2f22d00cff18994d8f07aee9400edb | |||||||||||||||||||||||||||||||||||||||||||
73 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43967 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 5.9 | 6.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page | ||||||||||||||||||||||||||||||||||||||||||||
74 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43968 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 5.9 | 6.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page | ||||||||||||||||||||||||||||||||||||||||||||
75 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43686 | In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). | In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). | 4.8 | 6.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | waiting for Pen tester confirmation of remediation | Fixed timeout that could occur when using forever cookie/stay signed in functionality on sites with large amounts of users | |||||||||||||||||||||||||||||||||||||||||||
76 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43691 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. Mitigation for Concrete CMS below 8.5.10 and between 9.0.0 and 9.1.2 - ensure Debug Mode is turned off in production | 4.3 | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | |||||||||||||||||||||||||||||||||||||||||||||||
77 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43687 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ | 4.2 | 5.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | 9.1.3 https://github.com/concretecms/concretecms/commit/92e0025f229e4b237b7d53507f771c2f9027fba3 8.5.x https://github.com/concretecms/concretecms/commit/87d0966e2654bfb6e2a0a459a670926a72bf73bb | ||||||||||||||||||||||||||||||||||||||||||||||
78 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43695 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 3.1 | 4.8 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | 9.1.3 https://github.com/concretecms/concretecms/commit/46129ada9b00e5f7eebc4c6c46aba8bfdbee0ad5 8.5.x https://github.com/concretecms/concretecms/commit/4fc7d1c72b8c8a622cc3d140390c7209f8af57ec | ||||||||||||||||||||||||||||||||||||||||||||||
79 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43688 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ | 3.1 | 4.8 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | develop https://github.com/concretecms/concretecms/pull/10999 9.1.3 https://github.com/concretecms/concretecms/commit/51f19b377a19c97a8b8f1d4d0f13724ed1c7c7a7 8.5.x https://github.com/concretecms/concretecms/commit/6d46ca042fcfeda0f7881d8744f5216ef1abce0e | ||||||||||||||||||||||||||||||||||||||||||||||
80 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43690 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ | 3.1 | 6.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | 9.1.3 https://github.com/concretecms/concretecms/commit/a4dc73a4a47823373d4b4824534bb9b7d251f72c 8.5.x https://github.com/concretecms/concretecms/commit/d5dd12c40efed326b26862391b7e1e6f414cdd55 | ||||||||||||||||||||||||||||||||||||||||||||||
81 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43689 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure | 2.2 | 5.3 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | 9.1.3 https://github.com/concretecms/concretecms/commit/11d549e1aad20b906f8bbdf0c022584a01bb9a91 8.5.x https://github.com/concretecms/concretecms/commit/37d3a6da32affae47e439dfe4f8f4c25929516e9 | ||||||||||||||||||||||||||||||||||||||||||||||
82 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
83 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43556 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. | 5.4 | 6.1 | CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | @_akbar_jafarli_ | 2022-11-03 | 2022-12-05 | |||||||||||||||||||||||||||||||||||||||||||||||
84 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
85 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
86 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
87 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | CVE-2022-21829 | Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. | same | 8 | 9.8 | CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Anna | 2022-06-21 | 2022-06-24 | |||||||||||||||||||||||||||||||||||||||||||||||
88 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | CVE-2022-30117 | Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations. | same | 5.8 | 9.1 | CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H | Siebene | 2022-06-21 | 2022-06-24 | |||||||||||||||||||||||||||||||||||||||||||||||
89 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | CVE-2022-30120 | XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. C Sanitation has been added where built urls are output. | same | 3.1 | 6.1 | CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ | 2022-06-21 | 2022-06-24 | |||||||||||||||||||||||||||||||||||||||||||||||
90 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | CVE-2022-30118 | XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. | same | 2 | 6.1 | CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | zeroinside | 2022-06-21 | 2022-06-24 | |||||||||||||||||||||||||||||||||||||||||||||||
91 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | CVE-2022-30119 | XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited . This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. | same | 2 | 6.1 | CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | zeroinside | 2022-06-21 | 2022-06-24 | |||||||||||||||||||||||||||||||||||||||||||||||
92 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
93 | 8.5.x and below Configuration mitigation for version 8 available | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
94 | 8.5.x and below Configuration mitigation for version 8 available | CVE-2021-22954 | A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. | CSRF token is stored in dynamic Javascript in Concrete CMS versions below 9. Version 9 removed the CSRF token from being stored in dynamic Javascript to remediate CVE-2021-22954. Alternate mitigations for versions below 9 are to apply a header configuration applied to nginx/apache. To mitigate set the Cross-Origin-Resource-Policy to either same-origin or same-site, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP) if unsure which to apply. For Nginx: In the location block - add_header Cross-Origin-Resource-Policy "same-origin"; Apache: In .htaccess or equivalent - Header set Cross-Origin-Resource-Policy "same-origin" Concrete CMS Security Team CVSS 3.1 score 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | 4.8 | 8.8 | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | "Solar Security Research Team" | 2021-11-16 | 2022-02-09 | 2022-02-13 provided MItRE with Concrete 8 mitigation information | ||||||||||||||||||||||||||||||||||||||||||||||
95 | 8.5.6 and below. 9.0.0 | Edit·Delete· | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
96 | 8.5.6 and below | CVE-2021-22970 | Concrete CMS (formerly concrete5) versions 8.5.6 and below and also version 9.0.0 allow local IP importing causing the system to be vulnerable to a. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network apps and b. SSRF Mitigation Bypass through DNS Rebinding Concrete CMS security team gave this a CVSS score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N Concrete CMS is maintaining Concrete version 8.5.x until 1 May 2022 for security fixes. This CVE is shared with HackerOne Reports https://hackerone.com/reports/1364797 and https://hackerone.com/reports/1360016 | 3.5 | Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and Bipul Jaiswal | 2021-11-10 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
97 | 8.5.6 and below | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
98 | 8.5.6 and below | CVE-2021-40101 | An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password. | 7.8 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||
99 | 8.5.6 and below | CVE-2021-22966 | Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H This fix is also in Concrete version 9.0.0 | 7.1 | Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ ) | 2021-11-10 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
100 | 8.5.6 and below | CVE-2021-22968 | A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below. The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration. To fix this, a check for allowed file extensions was added before downloading files to a tmp directory. Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N This fix is also in Concrete version 9.0.0 | 5.4 | Joe | 2021-11-10 |