Vulnerabilities > Concretecms > High

DATE CVE VULNERABILITY TITLE RISK
2022-11-14 CVE-2022-43693 Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth.
network
low complexity
concretecms CWE-352
8.8
2021-11-19 CVE-2021-22968 Unrestricted Upload of File with Dangerous Type vulnerability in Concretecms Concrete CMS
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions.
network
low complexity
concretecms CWE-434
7.2
2021-10-07 CVE-2021-22958 Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services.
network
low complexity
concretecms CWE-918
7.5
2021-09-27 CVE-2021-40098 Path Traversal vulnerability in Concretecms Concrete CMS
An issue was discovered in Concrete CMS through 8.5.5.
network
low complexity
concretecms CWE-22
7.5