Vulnerabilities > Concretecms > Concrete CMS
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-02-09 | CVE-2024-1245 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. | 4.8 |
2024-02-09 | CVE-2024-1246 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. | 4.8 |
2024-02-09 | CVE-2024-1247 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. | 4.8 |
2023-12-25 | CVE-2023-48652 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. | 4.3 |
2023-11-17 | CVE-2023-48648 | Incorrect Default Permissions vulnerability in Concretecms Concrete CMS Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. | 9.8 |
2023-11-17 | CVE-2023-48649 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. | 5.4 |
2023-10-23 | CVE-2023-44760 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. | 4.8 |
2023-10-10 | CVE-2023-44763 | Unrestricted Upload of File with Dangerous Type vulnerability in Concretecms Concrete CMS 9.2.1 Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). | 5.4 |
2023-10-06 | CVE-2023-44761 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. | 5.4 |
2023-10-06 | CVE-2023-44762 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags. | 5.4 |