Vulnerabilities > Concretecms > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-14 | CVE-2022-43693 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | 8.8 |
| 2022-02-09 | CVE-2021-22954 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. | 8.8 |
| 2021-11-30 | CVE-2021-40101 | Incorrect Permission Assignment for Critical Resource vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS before 8.5.7. | 7.2 |
| 2021-11-19 | CVE-2021-22951 | Authorization Bypass Through User-Controlled Key vulnerability in Concretecms Concrete CMS Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. | 7.5 |
| 2021-11-19 | CVE-2021-22966 | Incorrect Authorization vulnerability in Concretecms Concrete CMS Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. | 8.8 |
| 2021-11-19 | CVE-2021-22967 | Authorization Bypass Through User-Controlled Key vulnerability in Concretecms Concrete CMS In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H | 7.5 |
| 2021-11-19 | CVE-2021-22968 | Unrestricted Upload of File with Dangerous Type vulnerability in Concretecms Concrete CMS A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. | 7.2 |
| 2021-11-19 | CVE-2021-22970 | Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. | 7.5 |
| 2021-09-27 | CVE-2021-40108 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 8.8 |
| 2021-09-27 | CVE-2021-40097 | Path Traversal vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 8.8 |