Vulnerabilities > Concretecms > Concrete CMS > 9.2.3
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-04-03 | CVE-2024-3178 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter. Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. | 4.8 |
| 2024-04-03 | CVE-2024-3179 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . | 4.8 |
| 2024-04-03 | CVE-2024-3180 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:L https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Thanks Alexey Solovyev for reporting. | 4.8 |
| 2024-03-05 | CVE-2024-2179 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. | 4.8 |
| 2024-02-09 | CVE-2024-1245 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. | 4.8 |
| 2024-02-09 | CVE-2024-1246 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. | 4.8 |
| 2024-02-09 | CVE-2024-1247 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. | 4.8 |