Vulnerabilities > Concretecms

DATE CVE VULNERABILITY TITLE RISK
2024-09-25 CVE-2024-7398 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output.
network
low complexity
concretecms CWE-79
5.4
2024-09-25 CVE-2024-8291 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color.  A rogue admin could add malicious code to the Thumbnails/Add-Type.
network
low complexity
concretecms CWE-79
4.8
2024-09-17 CVE-2024-8660 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N .
network
low complexity
concretecms CWE-79
4.8
2024-08-12 CVE-2024-4350 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses.
network
low complexity
concretecms CWE-79
4.8
2024-08-12 CVE-2024-7512 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances.
network
low complexity
concretecms CWE-79
4.8
2024-08-08 CVE-2024-7394 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName().
network
low complexity
concretecms CWE-79
4.8
2024-02-09 CVE-2024-1245 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page.
network
low complexity
concretecms CWE-79
4.8
2024-02-09 CVE-2024-1246 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data.
network
low complexity
concretecms CWE-79
4.8
2024-02-09 CVE-2024-1247 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS version 9 before 9.2.5 is vulnerable to  stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page.
network
low complexity
concretecms CWE-79
4.8
2023-12-25 CVE-2023-48652 Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit.
network
low complexity
concretecms CWE-352
4.3