ABCDEFGHIJKLMNOPQRSTUVWXYZAAABACADAEAFAGAHAIAJAKALAMANAOAPAQARASATAUAVAWAXAYAZBABBBCBDBE
1
2
Concrete CMS DISCLOSED CVEs
3
last updated date: 2024-11-12
4
Affected VersionsCVE MITRE TitleConcrete Team InformationCVSS v4 ScoreCVSS v3.1 ScoreCreditDate
Disclosed by
Concrete
Date
Published by NVD
Disputed Date
5
6
Concrete
Team
NISTConcreteTeam CVSS v4 vectorNIST CVSS v4 vectorConcrete
Team
NISTConcreteTeam CVSSNIST CVSS
7
Concrete below 9.3.6
8
Concrete below 9.3.6no CVE - for informational purposes onlySee Concrete Team information - Concrete CMS is now a CNAConcrete below 9.3.6 does not automatically set security headers for cached pages. Security headers have to be set manually in .htaccess or in the apache / nginx settings0N/A -
Security Updates
are not assessed
None N/A 00NoneNoneHissy
2024-11-05N/A
9
Concrete below 9.3.4
10
Concrete below 9.3.4CVE-2024-8660N/A - Concrete CMS is now a CNAConcrete CMS versions 9.0.0 through 9.3.4 are affected by a stored XSS vulnerability in the
"Top Navigator Bar" block.Since the "Top Navigator Bar" output was not sufficiently sanitized,
a rouge administrator could add a malicious payload that could be executed when targeted
users visited the home page.This does not affect versions below 9.0.0 since they do not have the Top Navigation Bar Block.
4.6pendingCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NPending -
NVD assessment
not yet provided.
N/A4.8N/ACVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NChu Quoc Khanh (k0i3n)2024-09-172024-09-17
11
Cocrete 9 below 9.3.4
Concrete 8 below 8.5.19
12
Cocrete 9 below 9.3.4
Concrete 8 below 8.5.19
CVE-2024-8661 N/A - Concrete CMS is now a CNAConcrete CMS versions 9.0.0 to 9.3.4 and below 8.5.18 are vulnerable to Stored XSS in the
"Next&Previous Nav" block. A rogue administrator could add a malicious payload
by executing it in the browsers of targeted users. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. 
4.6pendingCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NPending -
NVD assessment
not yet provided.
N/AN/AN/AN/AChu Quoc Khanh (k0i3n)2024-09-162024-09-16
13
Cocrete 9 below 9.3.4
Concrete 8 below 8.5.19
CVE-2024-7398N/A - Concrete CMS is now a CNAConcrete version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. 1.8pendingCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:NPending -
NVD assessment
not yet provided.
N/A5.4N/ACVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NYusuke Uchida2024-09-242024-09-24
14
Cocrete 9 below 9.3.4
Concrete 8 below 8.5.19
CVE-2024-8291N/A - Concrete CMS is now a CNAConcrete CMS version 9 below 9.3.4 and versions below 8.5.19 are
vulnerable to stored XSS in the Image Editor Background Color.
A rogue admin could add malicious code to the Thumbnails/Add Type.
2.1pendingCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NPending -
NVD assessment
not yet provided.
N/A4.8N/ACVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NAlexey Solovyev (solov9ev)2024-09-242024-09-24
15
Concrete 9 to 9.3.3 and versions below 8.5.19
16
Concrete 9 to 9.3.3 and versions below 8.5.19CVE-2024-8291N/AConcrete version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS
in the calendar event addition feature because the calendar event name was not sanitized
on output. Users or groups with permission to create event calendars can embed scripts,
and users or groups with permission to modify event calendars can execute scripts.
2.1pendingCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NPending -
NVD assessment
not yet provided.
N/A4.8N/A - CVSS v3.2 ObsoleteCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NAlexey Solovyev08-10-20242024-08-10
17
Concrete 9 to 9.3.3 and versions below 8.5.19CVE-2024-7398N/AConcrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are
vulnerable to Stored XSS in Calendar Event Addition Feature.
Users or groups with permission to create event calendars could
embed scripts and users or groups with permission to modify
event calendars could execute scripts.
1.8pendingCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N Pending -
NVD assessment
not yet provided.
N/A5.4N/ACVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NYusuke Uchida2024-08-102024-08-10
18
Concrete below 9.3.3
19
Concrete below 9.3.3 no CVE - for informational purposes onlyN/AConcrete CMS version 9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a login request is using https by default. This is in line with industry best practice. If a site is served over http:// and the guest uses http:// to log in, the CONCRETE cookie will not have the Secure flag applied so that the site is usable. Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Since this is a configuration setting, no CVE is being issued. 0N/A -
Security Updates
are not assessed
None N/A 0N/ANoneN/A
Yusuke Uchida
2024-08-082024-08-08
20
Concrete 9 to 9.3.2 and versions below 8.5.18
21
Concrete 9 to 9.3.2 and versions below 8.5.18CVE-2024-4350 N/A - Concrete CMS is now a CNAConcrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in
RSS Displayer when user input is stored and later embedded into responses. A rogue
administrator could inject malicious code into fields due to insufficient input validation. 
2.1pendingCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NPending -
NVD assessment
not yet provided.
3.0pendingAV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N CVSS v3.1 deprecated m3dium2024-08-082024-08-12
22
Concrete 9 to 9.3.2 and versions below 8.5.18CVE-2024-7394N/A- Concrete CMS is now a CNAConcrete CMS versions 9 through 9.3.2 and below 8.5.18 are
vulnerable to Stored XSS ingetAttributeSetName().
A rogue administrator could inject malicious code.
1.8pending CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Pending -
NVD assessment
not yet provided.
2.0pending AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N CVSS v3.1 deprecated m3dium2024-08-082024-08-08
23
Concrete 9 to 9.3.2
24
Concrete 9 to 9.3.2 (versions below 9 not affected)CVE-2024-4353N/A - Concrete CMS is now a CNAStored XSS in Generate Board Name Input Field : Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code.1.8pendingCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:NPending -
NVD assessment
not yet provided.
3.1pendingAV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:NCVSS v3.1 deprecated fhAnso2024-08-012024-08-01
25
Concrete 9 to 9.3.2 (versions below 9 not affected)CVE-2024-7512N/A- Concrete CMS is now a CNAConcrete CMS versions 9.0.0 through 9.3.2 are affected by a
stored XSS vulnerability in Board instances. A rogue administrator
could inject malicious code.
1.8pendingCVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NPending -
NVD assessment
not yet provided.
2.6pendingAV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:NCVSS v3.1 deprecated m3dium2024-08-092024-08-12
26
Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16
27
Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16CVE-2024-3180N/A- Concrete CMS is now a CNAConcrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Prior to fix, stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file.N/AN/AN/AN/A3.1pendingAV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:LCVSS v3.1 deprecated Alexey Solovyev2024-03-042024-04-03
28
Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16CVE-2024-3181N/A- Concrete CMS is now a CNAStored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code.N/AN/AN/AN/A3.1pendingAV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:LCVSS v3.1 deprecated Alexey Solovyev2024-04-032024-04-03
29
Concrete 9 to 9.2.6 (versions below 9 not affected)
30
Concrete 9 to 9.2.6CVE-2024-2179Same as Concrete. Concrete CMS is now a CNAConcrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page.N/AN/AN/AN/A2.2pendingAV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:NLuca Fuda2024-03-052024-03-05
31
Concrete 9 to 9.2.5
32
Concrete 9.0.0 to 9.2.5CVE-2024-1245Same as Concrete. Concrete CMS is now a CNAConcrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute.N/AN/AN/AN/A2.44.8AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:NAV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:NPoto Gabor2024-02-062024-02-09
33
Concrete 9.0.0 to 9.2.5CVE-2024-1246Same as Concrete. Concrete CMS is now a CNAConcrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. This does not affect Concrete versions prior to version 9.
N/AN/AN/AN/A24.8AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:NAV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:Ncupc4k32024-02-062024-02-09
34
Concrete 9.0.0 to 9.2.5CVE-2024-1247Same as Concrete. Concrete CMS is now a CNAConcrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. Concrete versions below 9 do not include group types so they are not affected by this vulnerability.N/AN/AN/AN/A24.8AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:NAV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:Ncupc4k32024-02-062024-02-09
35
Concrete 9.2.0 through 9.2.2
36
Concrete 9.2.0 through 9.2.2 CVE-2023-44762
A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - TagsA Cross Site Scripting (XSS) vulnerability in Concrete CMS version 9.2 through 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tag. The file this touches is in Bedrock, using a custom library the project wrote for version 9.2.0.N/AN/AN/AN/Adid not rank. Found in wild. 5.4did not rank. Found in wild. CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NDid not communicate with ConcreteFound in wild.2023-10-06N/A
37
Concrete 9 to 9.2.2
38
Concrete 9 to 9.2.2 CVE-2023-44764A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SITE parameter from installation or in the Settings. MITRE TO BE ASKED TO UPDATE AFFECTED VERSIONS.A Cross Site Scripting (XSS) vulnerability in Concrete CMS 9.0.0 through 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the SITE parameter from installation or in the Settings.N/AN/AN/AN/Adid not rank. Found in wild. 5.4did not rank. Found in wild. CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NDid not communicate with ConcreteFound in wild.2023-10-06N/A
39
Concrete 9 to 9.2.2 CVE-2023-48652Concrete CMS 9 before 9.2.3 is vulnerable to Cross-Site Request
Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit.
An attacker can force an admin user to delete server report
logs on a web application to which they are currently authenticated.
CSRF to delete report logs is present in is present at `/ccm/system/dialogs/logs/delete_all/submitN/AN/AN/AN/A6.34.3AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NVeshraj Ghimire2023-12-252023-12-25
40
Concrete 9 to 9.2.2 CVE-2023-48651Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request
Forgery (CSRF)at /ccm/system/dialogs/file/delete/1/submit.
Cross Site Request Forgery (CSRF) [bypass] to delete any files 3 vulnerability is present at /ccm/system/dialogs/file/delete/1/submitN/AN/AN/AN/A4.3pendingAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:LpendingVeshraj Ghimire2023-12-252024-02-28
41
Concrete 9 to 9.2.2 CVE-2023-49337Concrete CMS before 9.2.3 allows Stored XSS on the Admin
Dashboard via /dashboard/system/basics/name.
(8.5 and earlier are unaffected.)
Stored XSS on admin dashboard via /dashboard/system/basics/nameN/AN/AN/AN/A2.42.4AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:NAV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:NRamshath MM2023-12-252023-12-25
42
Concrete 9 to 9.2.2, Concrete 8 below 8.5.14
43
Concrete 9 to 9.2.2, Concrete 8 below 8.5.14CVE-2023-48653Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site
Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit.
An attacker can force an admin
to delete events on the site because the event
ID is numeric and sequential.
Cross Site Request Forgery (CSRF) vulnerability is present at` ccm/calendar/dialogs/event/delete/submitN/AN/AN/AN/A4.3pendingAV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NpendingVeshraj Ghimire2023-12-252024-02-28
44
Concrete 9 to 9.2.2, Concrete 8 below 8.5.14CVE-2023-48650Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an
admin adding a stored XSS payload via the Layout Preset name.
Stored XSS in Layout Preset nameN/AN/AN/AN/A3.5pendingAV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:NpendingSolar Security CMS Research2023-12-252024-02-28
45
Concrete 9 below 9.2.2
Concrete 8 below 8.5.13
46
Concrete 9 below 9.2.2
Concrete 8 below 8.5.13
CVE-2023-48648Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.Concrete 8.5.12 and below and Concrete 9.0.0 through 9.2.1 are vulnerable to unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified.N/AN/AN/AN/A5.39.8[AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H]CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMlocati for fixing
tahabiyikli-vortex
for reporting
2023-11-172023-11-16
47
Concrete 9 below 9.2.2
Concrete 8 below 8.5.13
CVE-2023-48649Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file nameConcrete 8.5.12 and below and Concrete 9.0.0 through 9.2.1 are vulnerable to stored XSS on the Concrete Admin page. Prior to fix there was no sanitation on uploaded file names. Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N @akbar_jafarli reported H1 2149479. Fixed in commit https://github.com/concretecms/concretecms/pull/11695 in Concrete 9.2.2 and in commit https://github.com/concretecms/concretecms/pull/11739 for Concrete 8.5.13.N/AN/AN/AN/A3.55.4[AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N]CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NAkbar Jafarli2023-12-252023-11-16
48
Concrete 9 below 9.2.2
Concrete 8 below 8.5.13
CVE-2023-44761Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. IN COMMUNICATION WITH MITRE TO UPDATE AFFECTED VERSIONS. Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS 9.0.0 through 9.2.1 and below 8.5.13 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.N/AN/AN/AN/Anot ranked. found in wild5.4did not rank - found in the wildCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NNot reported to Concrete2023-10-06
49
Concrete 9 below 9.2.2
Concrete 8 below 8.5.13
CVE-2023-44765A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.A Cross Site Scripting (XSS) vulnerability in Concrete CMS 9.0.0 through 9.2.1 and below
8.5.13 allows an attacker to execute arbitrary code via a crafted script to Plural Handle
of the Data Objects from System & Settings.
N/AN/AN/AN/Anot ranked. found in wild5.4did not rank - found in the wildCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NNot reported to Concrete2023-10-06
50
Concrete 9.2.1
51
CONCRETE CMS DISPUTESCVE-2023-44763Concrete CMS v9.2.1 is affected by Arbitrary File Upload vulnerability via the Thumbnail" file upload, which allows Cross-Site Scripting (XSS).disputing with MITRE. Asking for it to be removed.N/AN/AN/AN/Anot ranked. found in wild5.4n/aCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NNot reported to Concrete2023-10-102023-10-25
52
CONCRETE CMS DISPUTESCVE-2023-44760Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics.disputing with MITRE. Asking for it to be removed.N/AN/AN/AN/Anot ranked. found in wild5.4n/aCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NNot reported to Concrete2023-10-232023-10-30
53
CONCRETE CMS DISPUTESCVE-2023-44766A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings.disputing with MITRE. Asking for it to be removed.N/AN/AN/AN/Anot ranked. found in wild5.4n/aCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NNot reported to Concrete2023-10-062023-11-16
54
Concrete 9 Below 9.2
Concrete 8 Below 8.5.13
55
Concrete 9 Below 9.2
Concrete 8 Below 8.5.13
CVE-2023-28472Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.Concrete CMS (previously concrete5) below 9.0.0 through 9.13 and below 8.5.13 does not have Secure and HTTP only attributes set for ccmPoll cookies. [CVE Update required: updating the Survey Block Controller. We added support for the concrete.session.cookie.cookie_secure value to the ccmPoll cookie (which developers can set to true if they want to use secure cookies. ]N/AN/AN/AN/A3.45.3AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N2023-04-202023-04-28
56
Concrete 9 Below 9.2
Concrete 8 Below 8.5.13
CVE-2023-28473Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.Concrete CMS (previously concrete5) 9.0.0 through 9.1.3 and below 8.5.1 s vulnerable to possible Auth bypass in the jobs section. N/AN/AN/AN/A2.23.3AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:NCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:LFortbridge (Adrian Tiron)2023-04-202023-04-28
57
Concrete 9 Below 9.2
Concrete 8 Below 8.5.13
CVE-2023-28475

Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.Concrete CMS (previously concrete5) 9.0.0 through 9.1.3 and below 8.5.13 is vulnerable to Reflected XSS on the Reply form since msgID was not sanitized. N/AN/AN/AN/A4.26.1AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N.CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NFortbridge (Bogdan Tiron)2023-04-202023-04-28
58
Concrete 9 Below 9.2
Concrete 8 Below 8.5.13
CVE-2023-28477

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.Concrete CMS (previously concrete5) below 9.0.0 through 9.13 and below 8.5.13 is vulnerable to stored XSS on API Integrations via the name parameter. Prior to the fix, while adding API Integrations on Concrete CMS, the parameter name accepted special characters enabling malicious JavaScript payloads impacting /dashboard/system/api/integrations and /dashboard/system/api/integrations/view_client/unique-id.N/AN/AN/AN/A5.55.5AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:NVeshraj Ghimire2023-04-202023-04-28
59
Concrete 9 below 9.2
(Does NOT affect Concrete 8.5 and below)
60
9.0-9.1.3CVE-2023-28471Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS via a container name.MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS. Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on container name. Prior to fix, there was no sanitization on the container name.Concrete versions below 9 do not use containers.
N/AN/AN/AN/A25.4AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:NCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NAshim Chapagain2023-04-202023-04-28
61
9.0-9.1.3CVE-2023-28474Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Saved Presets on search MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS.
Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on Saved Preset. Prior to fix, there was no sanitation when saving presets on search. It was a bug that was introduced in version 9.0.0N/AN/AN/AN/A3.55.4AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NVeshraj Ghimire2023-04-202023-04-28
62
9.0-9.1.3CVE-2023-28476

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Tags on uploaded files. MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS.
Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on Tags. Prior to fix there was no sanitation when adding tags on uploaded files. The file details page does not exist in the Concrete Dashboard below version 9.0.0
N/AN/AN/AN/A4.55.4AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:NCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NVeshraj Ghimire, Ashim Chapagain2023-04-202023-04-28
63
Concrete 9 below 9.1.0
Concrete 8 below 8.5.13
64
Concrete below 9.1.0
Concreate 8 below 8.5.13
CVE-2023-28819Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names. MITRE HAS CONFIRMED THEY ARE UPDATING AFFECTED VERSIONS.
Concrete CMS (previously concrete5) 9.0.0 though 9.1 and Concrete CMS 8.5.12 and below is vulnerable to Stored XSS in uploaded file and folder names since Concrete CMS was rendering data without sanitizing it. 3.55.4AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:Nsolov9ev2023-04-202023-04-28
65
Concrete below 9.1.0
66
Concrete below 9.1.0CVE-2023-28820Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.Concrete CMS (previously concrete5) below 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute since the link element input was not sanitized. 25.4AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:NCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NAnna2023-04-202023-04-28
67
68
Concrete below 9.1.0 CVE-2023-28821Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.
Concrete CMS (previously concrete5) below 9.1 did not have a rate limit on reset password. The fix relies on a completely new library added to version 9 which is not in version 8.5.35.3AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L@0x00022023-04-202023-04-28
69
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
70
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43693Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth and is only exploitable if the attacker knows the oauth client secret AND the oauth client is set up without a redirect url which isn’t possible in v9. Systems which use the Employee Portal PIV authentication are NOT vulnerable to this CVE. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ 6.88.8AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14naxx
Added state parameter to external concrete authentication service
9.1.3 https://github.com/concretecms/concretecms/commit/e9131da39113535856f44b7fb1484002b2f61c30

8.5.x https://github.com/concretecms/concretecms/commit/3834239002502a20f5effee2b09c9f35f4980a78
71
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43692Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if that administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.6.46.1CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14xx
Prevent browser blocked reflected XSS in dashboard search pages
9.1.3 https://github.com/concretecms/concretecms/commit/5e353be6a12764dbc2338246f2c1b6058cdfd037

8.5.x https://github.com/concretecms/concretecms/commit/0bd65388e5a6d455d8b2469fc166f1b6fdf1abbb
72
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43694Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.5.96.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14xx
Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page
develop https://github.com/concretecms/concretecms/pull/11002 commit 377f387abc

9.1.3 https://github.com/concretecms/concretecms/commit/2cf75469cfef0699618ab9436049dec33aa8ad15

8.5.x https://github.com/concretecms/concretecms/commit/252c38ccff2f22d00cff18994d8f07aee9400edb
73
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43967Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.5.96.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14xx
Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page
74
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43968Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.5.96.1CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14xx
Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page
75
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43686In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). 4.86.5CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:HCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14xx
waiting for Pen tester confirmation of remediation
Fixed timeout that could occur when using forever cookie/stay signed in functionality on sites with large amounts of users
76
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43691Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

Mitigation for Concrete CMS below 8.5.10 and between 9.0.0 and 9.1.2 - ensure Debug Mode is turned off in production
4.35.3CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14
77
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43687Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ 4.25.4CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14
9.1.3 https://github.com/concretecms/concretecms/commit/92e0025f229e4b237b7d53507f771c2f9027fba3

8.5.x https://github.com/concretecms/concretecms/commit/87d0966e2654bfb6e2a0a459a670926a72bf73bb
78
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43695Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.3.14.8CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14
9.1.3 https://github.com/concretecms/concretecms/commit/46129ada9b00e5f7eebc4c6c46aba8bfdbee0ad5

8.5.x https://github.com/concretecms/concretecms/commit/4fc7d1c72b8c8a622cc3d140390c7209f8af57ec
79
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43688Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+3.14.8CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14
develop https://github.com/concretecms/concretecms/pull/10999

9.1.3 https://github.com/concretecms/concretecms/commit/51f19b377a19c97a8b8f1d4d0f13724ed1c7c7a7

8.5.x https://github.com/concretecms/concretecms/commit/6d46ca042fcfeda0f7881d8744f5216ef1abce0e
80
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43690Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ 3.16.3CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:LFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14
9.1.3 https://github.com/concretecms/concretecms/commit/a4dc73a4a47823373d4b4824534bb9b7d251f72c

8.5.x https://github.com/concretecms/concretecms/commit/d5dd12c40efed326b26862391b7e1e6f414cdd55
81
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43689Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure2.25.3CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NFortbridge (Adrian and Bogdan Tiron)2022-11-032022-11-14
9.1.3 https://github.com/concretecms/concretecms/commit/11d549e1aad20b906f8bbdf0c022584a01bb9a91

8.5.x https://github.com/concretecms/concretecms/commit/37d3a6da32affae47e439dfe4f8f4c25929516e9
82
83
Concrete 8.5.9 and below
Concrete 9.0 through 9.1.2
CVE-2022-43556Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized.5.46.1
CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N@_akbar_jafarli_2022-11-032022-12-05
84
85
86
Concrete 8.5.7 and below
Concrete 9.0 through 9.0.2
87
Concrete 8.5.7 and below
Concrete 9.0 through 9.0.2
CVE-2022-21829Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http.same89.8
CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HAnna2022-06-212022-06-24
88
Concrete 8.5.7 and below
Concrete 9.0 through 9.0.2
CVE-2022-30117Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.same5.89.1
CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HSiebene2022-06-212022-06-24
89
Concrete 8.5.7 and below
Concrete 9.0 through 9.0.2
CVE-2022-30120XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. C Sanitation has been added where built urls are output. same3.16.1
CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NBogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/2022-06-212022-06-24
90
Concrete 8.5.7 and below
Concrete 9.0 through 9.0.2
CVE-2022-30118XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. same26.1
CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:Nzeroinside2022-06-212022-06-24
91
Concrete 8.5.7 and below
Concrete 9.0 through 9.0.2
CVE-2022-30119XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited . This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism.same26.1
CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:Nzeroinside2022-06-212022-06-24
92
93
8.5.x and below
Configuration mitigation for version 8 available
94
8.5.x and below
Configuration mitigation for version 8 available
CVE-2021-22954A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users.CSRF token is stored in dynamic Javascript in Concrete CMS versions below 9.
Version 9 removed the CSRF token from being stored in dynamic Javascript to remediate CVE-2021-22954.

Alternate mitigations for versions below 9 are to apply a header configuration applied to nginx/apache. To mitigate set the Cross-Origin-Resource-Policy to either same-origin or same-site, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP) if unsure which to apply.

For Nginx: In the location block - add_header Cross-Origin-Resource-Policy "same-origin";
Apache: In .htaccess or equivalent - Header set Cross-Origin-Resource-Policy "same-origin"

Concrete CMS Security Team CVSS 3.1 score 4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.88.8AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:NCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"Solar Security Research Team"2021-11-162022-02-09
2022-02-13 provided MItRE with Concrete 8 mitigation information
95
8.5.6 and below. 9.0.0Edit·Delete·
96
8.5.6 and belowCVE-2021-22970Concrete CMS (formerly concrete5) versions 8.5.6 and below and also version 9.0.0 allow local IP importing causing the system to be vulnerable to
a. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network apps
and
b. SSRF Mitigation Bypass through DNS Rebinding
Concrete CMS security team gave this a CVSS score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Concrete CMS is maintaining Concrete version 8.5.x until 1 May 2022 for security fixes.
This CVE is shared with HackerOne Reports https://hackerone.com/reports/1364797 and https://hackerone.com/reports/1360016
3.5Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and Bipul Jaiswal2021-11-10
97
8.5.6 and below
98
8.5.6 and belowCVE-2021-40101An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.7.8
99
8.5.6 and belowCVE-2021-22966Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
This fix is also in Concrete version 9.0.0
7.1Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )2021-11-10
100
8.5.6 and belowCVE-2021-22968A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.
The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.
To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.

Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:N
This fix is also in Concrete version 9.0.0
5.4Joe2021-11-10