ReportizFlow
Filtered by vendor Concretecms
Subscriptions
Filtered by product Concrete Cms
Subscriptions
Total
99 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-44766 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 4.8 Medium |
| A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. | ||||
| CVE-2023-44765 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.4 Medium |
| A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings. | ||||
| CVE-2023-44764 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.4 Medium |
| A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings). | ||||
| CVE-2023-44763 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.4 Medium |
| Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor's position is that a customer is supposed to know that "pdf" should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration. | ||||
| CVE-2023-44762 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.4 Medium |
| A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags. | ||||
| CVE-2023-44761 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.4 Medium |
| Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects. | ||||
| CVE-2023-44760 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 4.8 Medium |
| Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO & Statistics. NOTE: the vendor disputes this because these header/footer changes can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature. Also, the exploitation method claimed by "sromanhu" does not provide any access to a Concrete CMS session, because the Concrete CMS session cookie is configured as HttpOnly. | ||||
| CVE-2023-28821 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.3 Medium |
| Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. | ||||
| CVE-2023-28820 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 2 Low |
| Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. | ||||
| CVE-2023-28819 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 3.5 Low |
| Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names. | ||||
| CVE-2023-28477 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.5 Medium |
| Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. | ||||
| CVE-2023-28476 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.4 Medium |
| Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files. | ||||
| CVE-2023-28475 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.1 Medium |
| Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. | ||||
| CVE-2023-28472 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.3 Medium |
| Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies. | ||||
| CVE-2023-28471 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.4 Medium |
| Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name. | ||||
| CVE-2022-43968 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.1 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2022-43967 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.1 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2022-43695 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 4.8 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. | ||||
| CVE-2022-43694 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.1 Medium |
| Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. | ||||
| CVE-2022-43693 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 8.8 High |
| Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. | ||||