Vulnerabilities > Concretecms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-09-25 | CVE-2024-7398 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. | 5.4 |
| 2024-09-25 | CVE-2024-8291 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. | 4.8 |
| 2024-09-17 | CVE-2024-8660 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N . | 4.8 |
| 2024-08-12 | CVE-2024-4350 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. | 4.8 |
| 2024-08-12 | CVE-2024-7512 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. | 4.8 |
| 2024-08-08 | CVE-2024-7394 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). | 4.8 |
| 2024-02-09 | CVE-2024-1245 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. | 4.8 |
| 2024-02-09 | CVE-2024-1246 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. | 4.8 |
| 2024-02-09 | CVE-2024-1247 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. | 4.8 |
| 2023-12-25 | CVE-2023-48652 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. | 4.3 |