Vulnerabilities > Concretecms > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-11-14 | CVE-2022-43694 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | 6.1 |
| 2022-06-24 | CVE-2022-30118 | Cross-site Scripting vulnerability in Concretecms Concrete CMS Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. | 6.1 |
| 2022-06-24 | CVE-2022-30119 | Cross-site Scripting vulnerability in Concretecms Concrete CMS XSS in /dashboard/reports/logs/view - old browsers only. | 6.1 |
| 2022-06-24 | CVE-2022-30120 | Cross-site Scripting vulnerability in Concretecms Concrete CMS XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. | 6.1 |
| 2021-11-19 | CVE-2021-22969 | Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . | 5.3 |
| 2021-09-27 | CVE-2021-40109 | Server-Side Request Forgery (SSRF) vulnerability in Concretecms Concrete CMS A SSRF issue was discovered in Concrete CMS through 8.5.5. | 6.4 |
| 2021-09-27 | CVE-2021-40105 | Cross-site Scripting vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 6.1 |
| 2021-09-27 | CVE-2021-40106 | Cross-site Scripting vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 6.1 |
| 2021-09-24 | CVE-2021-40100 | Cross-site Scripting vulnerability in Concretecms Concrete CMS An issue was discovered in Concrete CMS through 8.5.5. | 5.4 |
| 2021-09-23 | CVE-2021-22949 | Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team" | 5.4 |