Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
concretecms vulnerabilities and exploits
(subscribe to this query)
6.4
CVSSv2
CVE-2022-30117
Concrete 8.5.7 and below as well as Concrete 9.0 up to and including 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn&rsq...
Concretecms Concrete Cms
4.3
CVSSv2
CVE-2022-30120
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 up to and including 9...
Concretecms Concrete Cms
5.8
CVSSv2
CVE-2021-22953
A CSRF in Concrete CMS version 8.5.5 and below allows an malicious user to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"
Concretecms Concrete Cms
6.8
CVSSv2
CVE-2021-22954
A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an malicious user to make requests on behalf of other users.
Concretecms Concrete Cms
1 Github repository
5
CVSSv2
CVE-2017-18195
An issue exists in tools/conversations/view_ajax.php in Concrete5 prior to 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers.
Concretecms Concrete Cms
1 EDB exploit
5
CVSSv2
CVE-2020-14961
Concrete5 prior to 8.5.3 does not constrain the sort direction to a valid asc or desc value.
Concretecms Concrete Cms
7.5
CVSSv2
CVE-2022-21829
Concrete CMS Versions 9.0.0 up to and including 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes...
Concretecms Concrete Cms
NA
CVE-2023-28819
Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 up to and including 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names.
Concretecms Concrete Cms
NA
CVE-2023-28820
Concrete CMS (previously concrete5) prior to 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.
Concretecms Concrete Cms
NA
CVE-2023-28821
Concrete CMS (previously concrete5) prior to 9.1 did not have a rate limit for password resets.
Concretecms Concrete Cms
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4956
validation
CVE-2024-35221
remote attackers
CVE-2023-30309
CVE-2024-36112
CVE-2024-23109
CVE-2023-43850
stored XSS
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
NEXT »