Vulnerabilities > Concretecms
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-01-14 | CVE-2011-3183 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 5.4.1.1 A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier. | 4.3 |
2019-06-17 | CVE-2018-19146 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 8.4.3 Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files that may contain HTML data with a SCRIPT element. | 3.5 |
2018-07-09 | CVE-2018-13790 | Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS 8.2.0 A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page. | 6.5 |
2018-02-26 | CVE-2017-18195 | Unspecified vulnerability in Concretecms Concrete CMS An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. | 5.0 |
2017-09-07 | CVE-2015-4724 | SQL Injection vulnerability in Concretecms Concrete CMS 5.7.3.1 SQL injection vulnerability in Concrete5 5.7.3.1. | 6.5 |
2017-09-07 | CVE-2015-4721 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 5.7.3.1 Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1. | 4.3 |
2017-04-24 | CVE-2017-8082 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS 8.1.0 concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. | 4.3 |
2017-04-13 | CVE-2017-7725 | Cross-site Scripting vulnerability in Concretecms Concrete CMS 8.1.0 concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. | 4.3 |
2015-01-05 | CVE-2014-9526 | Cross-site Scripting vulnerability in multiple products Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in single_pages/dashboard/users/groups/bulkupdate.php or (2) instance_id parameter in tools/dashboard/sitemap_drag_request.php. | 4.3 |
2014-07-28 | CVE-2014-5108 | Cross-Site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file. | 4.3 |