Vulnerabilities > Concretecms > Concrete CMS
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-14 | CVE-2022-43968 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. | 6.1 |
| 2022-11-14 | CVE-2022-43692 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. | 6.1 |
| 2022-11-14 | CVE-2022-43694 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | 6.1 |
| 2022-11-14 | CVE-2022-43693 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | 8.8 |
| 2022-06-24 | CVE-2022-21829 | Cleartext Transmission of Sensitive Information vulnerability in Concretecms Concrete CMS Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. | 9.8 |
| 2022-06-24 | CVE-2022-30117 | Path Traversal vulnerability in Concretecms Concrete CMS Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. | 9.1 |
| 2022-06-24 | CVE-2022-30118 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. | 6.1 |
| 2022-06-24 | CVE-2022-30119 | Cross-site Scripting vulnerability in Concretecms Concrete CMS XSS in /dashboard/reports/logs/view - old browsers only. | 6.1 |
| 2022-06-24 | CVE-2022-30120 | Cross-site Scripting vulnerability in Concretecms Concrete CMS XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. | 6.1 |
| 2022-02-09 | CVE-2021-22954 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. | 8.8 |