Vulnerabilities > Concretecms

DATE CVE VULNERABILITY TITLE RISK
2022-11-14 CVE-2022-43686 Allocation of Resources Without Limits or Throttling vulnerability in Concretecms Concrete CMS
In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).
network
low complexity
concretecms CWE-770
6.5
2022-11-14 CVE-2022-43967 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output.
network
low complexity
concretecms CWE-79
6.1
2022-11-14 CVE-2022-43968 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output.
network
low complexity
concretecms CWE-79
6.1
2022-11-14 CVE-2022-43692 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection.
network
low complexity
concretecms CWE-79
6.1
2022-11-14 CVE-2022-43694 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.
network
low complexity
concretecms CWE-79
6.1
2022-11-14 CVE-2022-43693 Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
network
low complexity
concretecms CWE-352
8.8
2022-06-24 CVE-2022-21829 Cleartext Transmission of Sensitive Information vulnerability in Concretecms Concrete CMS
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE.
network
low complexity
concretecms CWE-319
critical
9.8
2022-06-24 CVE-2022-30117 Path Traversal vulnerability in Concretecms Concrete CMS
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit.
network
low complexity
concretecms CWE-22
6.4
2022-06-24 CVE-2022-30118 Cross-site Scripting vulnerability in Concretecms Concrete CMS
Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS.
4.3
2022-06-24 CVE-2022-30119 Cross-site Scripting vulnerability in Concretecms Concrete CMS
XSS in /dashboard/reports/logs/view - old browsers only.
4.3