Vulnerabilities > Concretecms

DATE CVE VULNERABILITY TITLE RISK
2022-11-14 CVE-2022-43687 Session Fixation vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication.
network
low complexity
concretecms CWE-384
5.4
2022-11-14 CVE-2022-43688 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized.
network
low complexity
concretecms CWE-79
4.8
2022-11-14 CVE-2022-43689 XXE vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.
network
low complexity
concretecms CWE-611
5.3
2022-11-14 CVE-2022-43690 Unspecified vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality.
network
low complexity
concretecms
6.3
2022-11-14 CVE-2022-43691 Cleartext Transmission of Sensitive Information vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.
network
low complexity
concretecms CWE-319
5.3
2022-11-14 CVE-2022-43695 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized.
network
low complexity
concretecms CWE-79
4.8
2022-11-14 CVE-2022-43686 Allocation of Resources Without Limits or Throttling vulnerability in Concretecms Concrete CMS
In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).
network
low complexity
concretecms CWE-770
6.5
2022-11-14 CVE-2022-43967 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output.
network
low complexity
concretecms CWE-79
6.1
2022-11-14 CVE-2022-43968 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output.
network
low complexity
concretecms CWE-79
6.1
2022-11-14 CVE-2022-43692 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection.
network
low complexity
concretecms CWE-79
6.1