Vulnerabilities > Concretecms > Concrete CMS > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-02-09 | CVE-2024-1247 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. | 4.8 |
| 2023-12-25 | CVE-2023-48652 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. | 4.3 |
| 2023-11-17 | CVE-2023-48649 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. | 5.4 |
| 2023-10-23 | CVE-2023-44760 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. | 4.8 |
| 2023-10-10 | CVE-2023-44763 | Unrestricted Upload of File with Dangerous Type vulnerability in Concretecms Concrete CMS 9.2.1 Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). | 5.4 |
| 2023-10-06 | CVE-2023-44761 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. | 5.4 |
| 2023-10-06 | CVE-2023-44762 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags. | 5.4 |
| 2023-10-06 | CVE-2023-44764 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings). | 5.4 |
| 2023-10-06 | CVE-2023-44765 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings. | 5.4 |
| 2023-10-06 | CVE-2023-44766 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 9.2.1 A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. | 4.8 |