| A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | AC | AD | AE | AF | AG | AH | AI | AJ | AK | AL | AM | AN | AO | AP | AQ | AR | AS | AT | AU | AV | AW | AX | AY | AZ | BA | BB | BC | BD | BE | BF | BG | ||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 | Concrete CMS DISCLOSED CVEs | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 | last updated date: 2025-08-13 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 | Affected Versions | CVE | MITRE Title | Concrete Team Information | CVSS v4 Score | CVSS v3.1 Score | Credit | Date Disclosed by Concrete | Date Published by NVD | Notes | ||||||||||||||||||||||||||||||||||||||||||||||||||
5 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 | Concrete Team | NIST | ConcreteTeam CVSS v4 vector | NIST CVSS v4 vector | Concrete Team | NIST | ConcreteTeam CVSS v3.1 vector | NIST CVSS v3.1 Vector | ||||||||||||||||||||||||||||||||||||||||||||||||||||
7 | Concrete CMS 9 to 9.4.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 | Concrete CMS 9 to 9.4.2 | CVE-2025-8571 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. | 4.8 | N/A | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | N/A | 2025-08-05 | 2025-08-05 | ||||||||||||||||||||||||||||||||||||||||||||||||||
9 | Concrete CMS 9 to 9.4.2 | CVE-2025-8573 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. | 2.0 | N/A | CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | N/A | N/A | N/A | N/A | N/A | sealldev (Noah Cooper) | 2025-08-05 | 2025-08-05 | |||||||||||||||||||||||||||||||||||||||||||||
10 | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
11 | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 | CVE-2025-8571 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. | 4.8 | N/A | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N | N/A | N/A | N/A | N/A | N/A | sealldev (Noah Cooper) | 2025-08-05 | 2025-08-05 | |||||||||||||||||||||||||||||||||||||||||||||
12 | Concrete CMS 8 below 8.5.20 Does | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
13 | Concrete CMS below 8.5.20 | Advisory only | n/a | Advisory Only to update to 8.5.20 if using Microsoft OS. Unsafe Storage of API Keys when using Microsoft OS because of un-updatable league/oauth2 server dependency. (Does not affect Concrete 9+) | n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a | Mlocati | 2025-04-01 | n/a | n/a | n/a | |||||||||||||||||||||||||||||||||||||||||||
14 | Concrete CMS 9 below 9.4.0RC2 and below 8.5.20 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
15 | Concrete CMS 9 below 9.4.0RC2 and below 8.5.20 | CVE-2025-3153 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. | 5.1 | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L | N/A | Myq Larson | 2025-04-01 | |||||||||||||||||||||||||||||||||||||||||||||||||||
16 | Concrete 9 below 9.4.0 Concrete 8 not affected | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
17 | Concrete 9.0.0 though 9.3.9 | CVE-2025-0660 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. Fixed by adding sanitation to the folder selector dropdown output with commit 11bef02 and by fixing folder deletion issues with commit 7c134e9. Versions below 9 are not affected. | 4.8 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N | pending | scored only v4.0 | scored only v4.0 | Alfin Joseph | 2025-03-04 | 2025-03-10 | |||||||||||||||||||||||||||||||||||||||||||||||
18 | Concrete below 9.3.6 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
19 | Concrete below 9.3.6 | no CVE - for informational purposes only | See Concrete Team information - Concrete CMS is now a CNA | Concrete below 9.3.6 does not automatically set security headers for cached pages. Security headers have to be set manually in .htaccess or in the apache / nginx settings | 0 | 0 | N/A - Security informational Updates are not assessed | N/A - Security informational Updates are not assessed | N/A - Security Updates are not assessed | N/A - Security Updates are not assessed | N/A - Security Updates are not assessed | N/A - Security Updates are not assessed | Hissy | 2024-11-05 | N/A | |||||||||||||||||||||||||||||||||||||||||||||
20 | Concrete below 9.3.4 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
21 | Concrete below 9.3.4 | CVE-2024-8660 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 through 9.3.4 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block.Since the "Top Navigator Bar" output was not sufficiently sanitized, a rouge administrator could add a malicious payload that could be executed when targeted users visited the home page.This does not affect versions below 9.0.0 since they do not have the Top Navigation Bar Block. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Chu Quoc Khanh (k0i3n) | 2024-09-17 | 2024-09-17 | |||||||||||||||||||||||||||||||||||||||||||||
22 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
23 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-8661 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 to 9.3.4 and below 8.5.18 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. Since the "Next&Previous Nav" block output was not sufficiently sanitized, the malicious payload could be executed in the browsers of targeted users. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | N/A | N/A | N/A | Chu Quoc Khanh (k0i3n) | 2024-09-16 | 2024-09-16 | |||||||||||||||||||||||||||||||||||||||||||||
24 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-7398 | See Concrete Team information - Concrete CMS is now a CNA | Concrete version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 5.4 | N/A | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Yusuke Uchida | 2024-09-24 | 2024-09-24 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
25 | Cocrete 9 below 9.3.4 Concrete 8 below 8.5.19 | CVE-2024-8291 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add Type. | 5.1 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Alexey Solovyev (solov9ev) | 2024-09-24 | 2024-09-24 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
26 | Concrete 9 to 9.3.3 and versions below 8.5.19 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
27 | Concrete 9 to 9.3.3 and versions below 8.5.19 | CVE-2024-8291 | See Concrete Team information - Concrete CMS is now a CNA | Concrete version 9 below 9.3.4 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users or groups with permission to modify event calendars can execute scripts. | 5.1 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | N/A - CVSS v3.2 Obsolete | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Alexey Solovyev | 08-10-2024 | 2024-08-10 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
28 | Concrete 9 to 9.3.3 and versions below 8.5.19 | CVE-2024-7398 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Calendar Event Addition Feature. Users or groups with permission to create event calendars could embed scripts and users or groups with permission to modify event calendars could execute scripts. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 5.4 | N/A | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Yusuke Uchida | 2024-08-10 | 2024-08-10 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
29 | Concrete below 9.3.3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
30 | Concrete below 9.3.3 | no CVE - for informational purposes only | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9.3.3 now enforces the Secure Flag for the CONCRETE cookie if a login request is using https by default. This is in line with industry best practice. If a site is served over http:// and the guest uses http:// to log in, the CONCRETE cookie will not have the Secure flag applied so that the site is usable. Although the patch could not be applied cleanly to version 8, the Secure Flag setting can be configured via the dashboard. Since this is a configuration setting, no CVE is being issued. | 0 | N/A - Security Updates are not assessed | None | N/A | 0 | N/A | None | N/A | Yusuke Uchida | 2024-08-08 | 2024-08-08 | |||||||||||||||||||||||||||||||||||||||||||||
31 | Concrete 9 to 9.3.2 and versions below 8.5.18 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
32 | Concrete 9 to 9.3.2 and versions below 8.5.18 | CVE-2024-4350 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. | 5.1 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A | 4.8 | CVSS v3.1 deprecated | CVSS v3.1 deprecated | m3dium | 2024-08-08 | 2024-08-12 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
33 | Concrete 9 to 9.3.2 and versions below 8.5.18 | CVE-2024-7394 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS ingetAttributeSetName(). A rogue administrator could inject malicious code. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | 2.0 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | CVSS v3.1 deprecated | m3dium | 2024-08-08 | 2024-08-08 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
34 | Concrete 9 to 9.3.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
35 | Concrete 9 to 9.3.2 (versions below 9 not affected) | CVE-2024-4353 | See Concrete Team information - Concrete CMS is now a CNA | Stored XSS in Generate Board Name Input Field : Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A- CVSS v3.1 deprecated | pending | CVSS v3.1 deprecated | CVSS v3.1 deprecated | fhAnso | 2024-08-01 | 2024-08-01 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
36 | Concrete 9 to 9.3.2 (versions below 9 not affected) | CVE-2024-7512 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. | 4.6 | pending | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N | Pending - NVD assessment not yet provided. | N/A- CVSS v3.1 deprecated | 4.8 | CVSS v3.1 deprecated | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | m3dium | 2024-08-09 | 2024-08-12 | CNA updated this risk rank on 17 Jan 2025 by lowering the AC based on CVSS 4.0 documentation that access privileges should not be considered for AC. | ||||||||||||||||||||||||||||||||||||||||||||
37 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
38 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | CVE-2024-3180 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Prior to fix, stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. | N/A | N/A | N/A | N/A | 3.1 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L | CVSS v3.1 deprecated | Alexey Solovyev | 2024-03-04 | 2024-04-03 | |||||||||||||||||||||||||||||||||||||||||||||
39 | Concrete 9 to 9.2.7 and Concrete 8 below 8.5.16 | CVE-2024-3181 | See Concrete Team information - Concrete CMS is now a CNA | Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. | N/A | N/A | N/A | N/A | 3.1 | pending | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L | CVSS v3.1 deprecated | Alexey Solovyev | 2024-04-03 | 2024-04-03 | |||||||||||||||||||||||||||||||||||||||||||||
40 | Concrete 9 to 9.2.6 (versions below 9 not affected) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
41 | Concrete 9 to 9.2.6 | CVE-2024-2179 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. | N/A | N/A | N/A | N/A | 2.2 | pending | AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N | Luca Fuda | 2024-03-05 | 2024-03-05 | ||||||||||||||||||||||||||||||||||||||||||||||
42 | Concrete 9 to 9.2.5 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
43 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1245 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. | N/A | N/A | N/A | N/A | 2.4 | 4.8 | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N | Poto Gabor | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||||
44 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1246 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. This does not affect Concrete versions prior to version 9. | N/A | N/A | N/A | N/A | 2 | 4.8 | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | cupc4k3 | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||||
45 | Concrete 9.0.0 to 9.2.5 | CVE-2024-1247 | See Concrete Team information - Concrete CMS is now a CNA | Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. Concrete versions below 9 do not include group types so they are not affected by this vulnerability. | N/A | N/A | N/A | N/A | 2 | 4.8 | AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N | AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | cupc4k3 | 2024-02-06 | 2024-02-09 | |||||||||||||||||||||||||||||||||||||||||||||
46 | Concrete 9.2.0 through 9.2.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
47 | Concrete 9.2.0 through 9.2.2 | CVE-2023-44762 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags | A Cross Site Scripting (XSS) vulnerability in Concrete CMS version 9.2 through 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tag. The file this touches is in Bedrock, using a custom library the project wrote for version 9.2.0. | N/A | N/A | N/A | N/A | did not rank. Found in wild. | 5.4 | did not rank. Found in wild. | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Did not communicate with Concrete | Found in wild. | 2023-10-06 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
48 | Concrete 9 to 9.2.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
49 | Concrete 9 to 9.2.2 | CVE-2023-44764 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SITE parameter from installation or in the Settings. MITRE TO BE ASKED TO UPDATE AFFECTED VERSIONS. | A Cross Site Scripting (XSS) vulnerability in Concrete CMS 9.0.0 through 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the SITE parameter from installation or in the Settings. | N/A | N/A | N/A | N/A | did not rank. Found in wild. | 5.4 | did not rank. Found in wild. | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Did not communicate with Concrete | Found in wild. | 2023-10-06 | N/A | ||||||||||||||||||||||||||||||||||||||||||||
50 | Concrete 9 to 9.2.2 | CVE-2023-48652 | Concrete CMS 9 before 9.2.3 is vulnerable to Cross-Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated. | CSRF to delete report logs is present in is present at `/ccm/system/dialogs/logs/delete_all/submit | N/A | N/A | N/A | N/A | 6.3 | 4.3 | AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | Veshraj Ghimire | 2023-12-25 | 2023-12-25 | |||||||||||||||||||||||||||||||||||||||||||||
51 | Concrete 9 to 9.2.2 | CVE-2023-48651 | Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF)at /ccm/system/dialogs/file/delete/1/submit. | Cross Site Request Forgery (CSRF) [bypass] to delete any files 3 vulnerability is present at /ccm/system/dialogs/file/delete/1/submit | N/A | N/A | N/A | N/A | 4.3 | pending | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L | pending | Veshraj Ghimire | 2023-12-25 | 2024-02-28 | |||||||||||||||||||||||||||||||||||||||||||||
52 | Concrete 9 to 9.2.2 | CVE-2023-49337 | Concrete CMS before 9.2.3 allows Stored XSS on the Admin Dashboard via /dashboard/system/basics/name. (8.5 and earlier are unaffected.) | Stored XSS on admin dashboard via /dashboard/system/basics/name | N/A | N/A | N/A | N/A | 2.4 | 2.4 | AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N | AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N | Ramshath MM | 2023-12-25 | 2023-12-25 | |||||||||||||||||||||||||||||||||||||||||||||
53 | Concrete 9 to 9.2.2, Concrete 8 below 8.5.14 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
54 | Concrete 9 to 9.2.2, Concrete 8 below 8.5.14 | CVE-2023-48653 | Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. An attacker can force an admin to delete events on the site because the event ID is numeric and sequential. | Cross Site Request Forgery (CSRF) vulnerability is present at` ccm/calendar/dialogs/event/delete/submit | N/A | N/A | N/A | N/A | 4.3 | pending | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N | pending | Veshraj Ghimire | 2023-12-25 | 2024-02-28 | |||||||||||||||||||||||||||||||||||||||||||||
55 | Concrete 9 to 9.2.2, Concrete 8 below 8.5.14 | CVE-2023-48650 | Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name. | Stored XSS in Layout Preset name | N/A | N/A | N/A | N/A | 3.5 | pending | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N | pending | Solar Security CMS Research | 2023-12-25 | 2024-02-28 | |||||||||||||||||||||||||||||||||||||||||||||
56 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
57 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | CVE-2023-48648 | Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified. | Concrete 8.5.12 and below and Concrete 9.0.0 through 9.2.1 are vulnerable to unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified. | N/A | N/A | N/A | N/A | 5.3 | 9.8 | [AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H] | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Mlocati for fixing tahabiyikli-vortex for reporting | 2023-11-17 | 2023-11-16 | |||||||||||||||||||||||||||||||||||||||||||||
58 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | CVE-2023-48649 | Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name | Concrete 8.5.12 and below and Concrete 9.0.0 through 9.2.1 are vulnerable to stored XSS on the Concrete Admin page. Prior to fix there was no sanitation on uploaded file names. Concrete CMS Security team scored this 3.5 with CVSS v3 vector AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N @akbar_jafarli reported H1 2149479. Fixed in commit https://github.com/concretecms/concretecms/pull/11695 in Concrete 9.2.2 and in commit https://github.com/concretecms/concretecms/pull/11739 for Concrete 8.5.13. | N/A | N/A | N/A | N/A | 3.5 | 5.4 | [AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N] | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Akbar Jafarli | 2023-12-25 | 2023-11-16 | |||||||||||||||||||||||||||||||||||||||||||||
59 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | CVE-2023-44761 | Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. IN COMMUNICATION WITH MITRE TO UPDATE AFFECTED VERSIONS. | Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS 9.0.0 through 9.2.1 and below 8.5.13 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | did not rank - found in the wild | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-06 | ||||||||||||||||||||||||||||||||||||||||||||||
60 | Concrete 9 below 9.2.2 Concrete 8 below 8.5.13 | CVE-2023-44765 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings. | A Cross Site Scripting (XSS) vulnerability in Concrete CMS 9.0.0 through 9.2.1 and below 8.5.13 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | did not rank - found in the wild | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-06 | ||||||||||||||||||||||||||||||||||||||||||||||
61 | Concrete 9.2.1 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
62 | CONCRETE CMS DISPUTES | CVE-2023-44763 | Concrete CMS v9.2.1 is affected by Arbitrary File Upload vulnerability via the Thumbnail" file upload, which allows Cross-Site Scripting (XSS). | disputing with MITRE. Asking for it to be removed. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | n/a | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-10 | 2023-10-25 Concrete CMS disputed | |||||||||||||||||||||||||||||||||||||||||||||
63 | CONCRETE CMS DISPUTES | CVE-2023-44760 | Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. | disputing with MITRE. Asking for it to be removed. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | n/a | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-23 | 2023-10-30 Concrete CMS disputed | |||||||||||||||||||||||||||||||||||||||||||||
64 | CONCRETE CMS DISPUTES | CVE-2023-44766 | A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. | disputing with MITRE. Asking for it to be removed. | N/A | N/A | N/A | N/A | not ranked. found in wild | 5.4 | n/a | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Not reported to Concrete | 2023-10-06 | 2023-11-16 Concrete CMS disputed | |||||||||||||||||||||||||||||||||||||||||||||
65 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
66 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | CVE-2023-28472 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. | Concrete CMS (previously concrete5) below 9.0.0 through 9.13 and below 8.5.13 does not have Secure and HTTP only attributes set for ccmPoll cookies. [CVE Update required: updating the Survey Block Controller. We added support for the concrete.session.cookie.cookie_secure value to the ccmPoll cookie (which developers can set to true if they want to use secure cookies. ] | N/A | N/A | N/A | N/A | 3.4 | 5.3 | AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 2023-04-20 | 2023-04-28 | ||||||||||||||||||||||||||||||||||||||||||||||
67 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | CVE-2023-28473 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. | Concrete CMS (previously concrete5) 9.0.0 through 9.1.3 and below 8.5.1 s vulnerable to possible Auth bypass in the jobs section. | N/A | N/A | N/A | N/A | 2.2 | 3.3 | AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L | Fortbridge (Adrian Tiron) | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||
68 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | CVE-2023-28475 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. | Concrete CMS (previously concrete5) 9.0.0 through 9.1.3 and below 8.5.13 is vulnerable to Reflected XSS on the Reply form since msgID was not sanitized. | N/A | N/A | N/A | N/A | 4.2 | 6.1 | AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N. | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Bogdan Tiron) | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||
69 | Concrete 9 Below 9.2 Concrete 8 Below 8.5.13 | CVE-2023-28477 | Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. | Concrete CMS (previously concrete5) below 9.0.0 through 9.13 and below 8.5.13 is vulnerable to stored XSS on API Integrations via the name parameter. Prior to the fix, while adding API Integrations on Concrete CMS, the parameter name accepted special characters enabling malicious JavaScript payloads impacting /dashboard/system/api/integrations and /dashboard/system/api/integrations/view_client/unique-id. | N/A | N/A | N/A | N/A | 5.5 | 5.5 | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N | Veshraj Ghimire | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||
70 | Concrete 9 below 9.2 (Does NOT affect Concrete 8.5 and below) | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
71 | 9.0-9.1.3 | CVE-2023-28471 | Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS via a container name.MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS. | Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on container name. Prior to fix, there was no sanitization on the container name.Concrete versions below 9 do not use containers. | N/A | N/A | N/A | N/A | 2 | 5.4 | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Ashim Chapagain | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||
72 | 9.0-9.1.3 | CVE-2023-28474 | Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Saved Presets on search MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS. | Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on Saved Preset. Prior to fix, there was no sanitation when saving presets on search. It was a bug that was introduced in version 9.0.0 | N/A | N/A | N/A | N/A | 3.5 | 5.4 | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Veshraj Ghimire | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||
73 | 9.0-9.1.3 | CVE-2023-28476 | Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Tags on uploaded files. MITRE TO BE REQUSTED TO UPDATE AFFECTED VERSIONS. | Concrete CMS (previously concrete5) between 9.0-9.1.3 is vulnerable to Stored XSS on Tags. Prior to fix there was no sanitation when adding tags on uploaded files. The file details page does not exist in the Concrete Dashboard below version 9.0.0 | N/A | N/A | N/A | N/A | 4.5 | 5.4 | AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Veshraj Ghimire, Ashim Chapagain | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||
74 | Concrete 9 below 9.1.0 Concrete 8 below 8.5.13 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
75 | Concrete below 9.1.0 Concreate 8 below 8.5.13 | CVE-2023-28819 | Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names. MITRE HAS CONFIRMED THEY ARE UPDATING AFFECTED VERSIONS. | Concrete CMS (previously concrete5) 9.0.0 though 9.1 and Concrete CMS 8.5.12 and below is vulnerable to Stored XSS in uploaded file and folder names since Concrete CMS was rendering data without sanitizing it. | 3.5 | 5.4 | AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | solov9ev | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||||||
76 | Concrete below 9.1.0 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
77 | Concrete below 9.1.0 | CVE-2023-28820 | Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. | Concrete CMS (previously concrete5) below 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute since the link element input was not sanitized. | 2 | 5.4 | AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | Anna | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||||||
78 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
79 | Concrete below 9.1.0 | CVE-2023-28821 | Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. | Concrete CMS (previously concrete5) below 9.1 did not have a rate limit on reset password. The fix relies on a completely new library added to version 9 which is not in version 8. | 5.3 | 5.3 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | @0x0002 | 2023-04-20 | 2023-04-28 | |||||||||||||||||||||||||||||||||||||||||||||||||
80 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
81 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43693 | Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth and is only exploitable if the attacker knows the oauth client secret AND the oauth client is set up without a redirect url which isn’t possible in v9. Systems which use the Employee Portal PIV authentication are NOT vulnerable to this CVE. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ | 6.8 | 8.8 | AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | na | x | x | Added state parameter to external concrete authentication service | 9.1.3 https://github.com/concretecms/concretecms/commit/e9131da39113535856f44b7fb1484002b2f61c30 8.5.x https://github.com/concretecms/concretecms/commit/3834239002502a20f5effee2b09c9f35f4980a78 | ||||||||||||||||||||||||||||||||||||||||||||
82 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43692 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if that administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 6.4 | 6.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | Prevent browser blocked reflected XSS in dashboard search pages | 9.1.3 https://github.com/concretecms/concretecms/commit/5e353be6a12764dbc2338246f2c1b6058cdfd037 8.5.x https://github.com/concretecms/concretecms/commit/0bd65388e5a6d455d8b2469fc166f1b6fdf1abbb | |||||||||||||||||||||||||||||||||||||||||||||
83 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43694 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 5.9 | 6.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page | develop https://github.com/concretecms/concretecms/pull/11002 commit 377f387abc 9.1.3 https://github.com/concretecms/concretecms/commit/2cf75469cfef0699618ab9436049dec33aa8ad15 8.5.x https://github.com/concretecms/concretecms/commit/252c38ccff2f22d00cff18994d8f07aee9400edb | |||||||||||||||||||||||||||||||||||||||||||||
84 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43967 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 5.9 | 6.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page | ||||||||||||||||||||||||||||||||||||||||||||||
85 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43968 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 5.9 | 6.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | Sanitized output in the dashboard to prevent potential XSS in the to Multilingual Report, Image Manipulation Library and icon dashboard page | ||||||||||||||||||||||||||||||||||||||||||||||
86 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43686 | In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). | In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). | 4.8 | 6.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | x | x | waiting for Pen tester confirmation of remediation | Fixed timeout that could occur when using forever cookie/stay signed in functionality on sites with large amounts of users | |||||||||||||||||||||||||||||||||||||||||||||
87 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43691 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. Mitigation for Concrete CMS below 8.5.10 and between 9.0.0 and 9.1.2 - ensure Debug Mode is turned off in production | 4.3 | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | |||||||||||||||||||||||||||||||||||||||||||||||||
88 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43687 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ | 4.2 | 5.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | 9.1.3 https://github.com/concretecms/concretecms/commit/92e0025f229e4b237b7d53507f771c2f9027fba3 8.5.x https://github.com/concretecms/concretecms/commit/87d0966e2654bfb6e2a0a459a670926a72bf73bb | ||||||||||||||||||||||||||||||||||||||||||||||||
89 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43695 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | 3.1 | 4.8 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | 9.1.3 https://github.com/concretecms/concretecms/commit/46129ada9b00e5f7eebc4c6c46aba8bfdbee0ad5 8.5.x https://github.com/concretecms/concretecms/commit/4fc7d1c72b8c8a622cc3d140390c7209f8af57ec | ||||||||||||||||||||||||||||||||||||||||||||||||
90 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43688 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ | 3.1 | 4.8 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | develop https://github.com/concretecms/concretecms/pull/10999 9.1.3 https://github.com/concretecms/concretecms/commit/51f19b377a19c97a8b8f1d4d0f13724ed1c7c7a7 8.5.x https://github.com/concretecms/concretecms/commit/6d46ca042fcfeda0f7881d8744f5216ef1abce0e | ||||||||||||||||||||||||||||||||||||||||||||||||
91 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43690 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+ | 3.1 | 6.3 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | 9.1.3 https://github.com/concretecms/concretecms/commit/a4dc73a4a47823373d4b4824534bb9b7d251f72c 8.5.x https://github.com/concretecms/concretecms/commit/d5dd12c40efed326b26862391b7e1e6f414cdd55 | ||||||||||||||||||||||||||||||||||||||||||||||||
92 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43689 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure | 2.2 | 5.3 | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | Fortbridge (Adrian and Bogdan Tiron) | 2022-11-03 | 2022-11-14 | 9.1.3 https://github.com/concretecms/concretecms/commit/11d549e1aad20b906f8bbdf0c022584a01bb9a91 8.5.x https://github.com/concretecms/concretecms/commit/37d3a6da32affae47e439dfe4f8f4c25929516e9 | ||||||||||||||||||||||||||||||||||||||||||||||||
93 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
94 | Concrete 8.5.9 and below Concrete 9.0 through 9.1.2 | CVE-2022-43556 | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3. | Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. | 5.4 | 6.1 | CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | @_akbar_jafarli_ | 2022-11-03 | 2022-12-05 | |||||||||||||||||||||||||||||||||||||||||||||||||
95 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
96 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
97 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
98 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | CVE-2022-21829 | Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. | same | 8 | 9.8 | CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | Anna | 2022-06-21 | 2022-06-24 | |||||||||||||||||||||||||||||||||||||||||||||||||
99 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | CVE-2022-30117 | Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations. | same | 5.8 | 9.1 | CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H | Siebene | 2022-06-21 | 2022-06-24 | |||||||||||||||||||||||||||||||||||||||||||||||||
100 | Concrete 8.5.7 and below Concrete 9.0 through 9.0.2 | CVE-2022-30120 | XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. C Sanitation has been added where built urls are output. | same | 3.1 | 6.1 | CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | Bogdan Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ | 2022-06-21 | 2022-06-24 | |||||||||||||||||||||||||||||||||||||||||||||||||