Vulnerabilities > Concretecms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-28 | CVE-2023-28472 | Unspecified vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies. | 5.3 |
| 2023-04-28 | CVE-2023-28473 | Improper Authentication vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. | 3.3 |
| 2023-04-28 | CVE-2023-28474 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search. | 5.4 |
| 2023-04-28 | CVE-2023-28475 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. | 6.1 |
| 2023-04-28 | CVE-2023-28476 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files. | 5.4 |
| 2023-04-28 | CVE-2023-28477 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. | 5.4 |
| 2023-04-28 | CVE-2023-28819 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names. | 5.4 |
| 2023-04-28 | CVE-2023-28820 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. | 5.4 |
| 2023-04-28 | CVE-2023-28821 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. | 5.3 |
| 2022-12-05 | CVE-2022-43556 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. | 6.1 |