Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
concretecms concrete cms vulnerabilities and exploits
(subscribe to this query)
6.1
CVSSv3
CVE-2021-40106
An issue exists in Concrete CMS up to and including 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.
Concretecms Concrete Cms
5.4
CVSSv3
CVE-2021-22949
A CSRF in Concrete CMS version 8.5.5 and below allows an malicious user to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"
Concretecms Concrete Cms
6.5
CVSSv3
CVE-2021-22950
Concrete CMS before 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"
Concretecms Concrete Cms
7.5
CVSSv3
CVE-2021-22951
Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the f...
Concretecms Concrete Cms
5.4
CVSSv3
CVE-2021-22953
A CSRF in Concrete CMS version 8.5.5 and below allows an malicious user to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"
Concretecms Concrete Cms
8.8
CVSSv3
CVE-2021-22954
A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an malicious user to make requests on behalf of other users.
Concretecms Concrete Cms
1 Github repository
9.8
CVSSv3
CVE-2021-22958
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.CVSSv2.0 AV:A/...
Concretecms Concrete Cms
8.8
CVSSv3
CVE-2021-22966
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by addi...
Concretecms Concrete Cms
7.5
CVSSv3
CVE-2021-22967
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message i...
Concretecms Concrete Cms
6.1
CVSSv3
CVE-2023-28475
Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 up to and including 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.
Concretecms Concrete Cms
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-35229
privilege escalation
local users
CVE-2024-5405
CVE-2024-27842
CVE-2024-5274
CVE-2024-5378
CVE-2024-34152
hard-coded
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
NEXT »