Vulnerabilities > Concretecms > Concrete CMS > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-09-23 | CVE-2021-22950 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team" | 6.5 |
| 2021-09-23 | CVE-2021-22953 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team" | 5.4 |
| 2021-03-18 | CVE-2021-28145 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. | 5.4 |
| 2021-01-08 | CVE-2021-3111 | Cross-site Scripting vulnerability in Concretecms Concrete CMS The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI. | 4.8 |
| 2020-06-22 | CVE-2020-14961 | Unspecified vulnerability in Concretecms Concrete CMS Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value. | 5.3 |
| 2020-01-14 | CVE-2011-3183 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 5.4.1.1 A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier. | 6.1 |
| 2019-06-17 | CVE-2018-19146 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 8.4.3 Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files that may contain HTML data with a SCRIPT element. | 4.8 |
| 2018-02-26 | CVE-2017-18195 | Unspecified vulnerability in Concretecms Concrete CMS An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. | 5.3 |
| 2017-09-07 | CVE-2015-4721 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 5.7.3.1 Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1. | 6.1 |
| 2017-04-24 | CVE-2017-8082 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS 8.1.0 concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. | 6.5 |