Vulnerabilities > Concretecms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-04-28 | CVE-2023-28819 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names. | 5.4 |
| 2023-04-28 | CVE-2023-28820 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. | 5.4 |
| 2023-04-28 | CVE-2023-28821 | Weak Password Recovery Mechanism for Forgotten Password vulnerability in Concretecms Concrete CMS Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. | 5.3 |
| 2022-12-05 | CVE-2022-43556 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. | 6.1 |
| 2022-11-14 | CVE-2022-43687 | Session Fixation vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. | 5.4 |
| 2022-11-14 | CVE-2022-43688 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. | 4.8 |
| 2022-11-14 | CVE-2022-43689 | XXE vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. | 5.3 |
| 2022-11-14 | CVE-2022-43690 | Unspecified vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. | 6.3 |
| 2022-11-14 | CVE-2022-43691 | Cleartext Transmission of Sensitive Information vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production. | 5.3 |
| 2022-11-14 | CVE-2022-43695 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. | 4.8 |