Vulnerabilities > Concretecms > Concrete CMS > 8.5.13
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-29 | CVE-2023-48653 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS before 8.5.14 and 9 before 9.2.3 allows Cross Site Request Forgery (CSRF) via ccm/calendar/dialogs/event/delete/submit. | 4.3 |
| 2023-04-28 | CVE-2023-28471 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name. | 5.4 |
| 2023-04-28 | CVE-2023-28472 | Unspecified vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies. | 5.3 |
| 2023-04-28 | CVE-2023-28473 | Improper Authentication vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. | 3.3 |
| 2023-04-28 | CVE-2023-28474 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search. | 5.4 |
| 2023-04-28 | CVE-2023-28475 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. | 6.1 |
| 2023-04-28 | CVE-2023-28476 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files. | 5.4 |
| 2023-04-28 | CVE-2023-28477 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. | 5.4 |
| 2023-04-28 | CVE-2023-28819 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names. | 5.4 |
| 2023-04-28 | CVE-2023-28820 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. | 5.4 |