Vulnerabilities > Concretecms > Concrete CMS > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-14 | CVE-2022-43693 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | 8.8 |
| 2021-11-19 | CVE-2021-22968 | Unrestricted Upload of File with Dangerous Type vulnerability in Concretecms Concrete CMS A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. | 7.2 |
| 2021-10-07 | CVE-2021-22958 | Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. | 7.5 |
| 2021-09-27 | CVE-2021-40098 | Path Traversal vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 7.5 |