Vulnerabilities > Concretecms
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-14 | CVE-2022-43694 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | 6.1 |
| 2022-11-14 | CVE-2022-43693 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | 8.8 |
| 2022-06-24 | CVE-2022-21829 | Cleartext Transmission of Sensitive Information vulnerability in Concretecms Concrete CMS Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. | 9.8 |
| 2022-06-24 | CVE-2022-30117 | Path Traversal vulnerability in Concretecms Concrete CMS Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. | 9.1 |
| 2022-06-24 | CVE-2022-30118 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. | 6.1 |
| 2022-06-24 | CVE-2022-30119 | Cross-site Scripting vulnerability in Concretecms Concrete CMS XSS in /dashboard/reports/logs/view - old browsers only. | 6.1 |
| 2022-06-24 | CVE-2022-30120 | Cross-site Scripting vulnerability in Concretecms Concrete CMS XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. | 6.1 |
| 2022-02-09 | CVE-2021-22954 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. | 8.8 |
| 2021-11-30 | CVE-2021-40101 | Incorrect Permission Assignment for Critical Resource vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS before 8.5.7. | 7.2 |
| 2021-11-19 | CVE-2021-22951 | Authorization Bypass Through User-Controlled Key vulnerability in Concretecms Concrete CMS Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. | 7.5 |