Concretecms Concrete Cms vulnerabilities
153 known vulnerabilities affecting concretecms/concrete_cms.
Total CVEs
153
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH37MEDIUM109LOW1
Vulnerabilities
Page 1 of 8
CVE-2017-18195P3MEDIUMCVSS 5.3PoCfixed in 8.3.02018-02-26
CVE-2017-18195 [MEDIUM] CVE-2017-18195: An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthent
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers.
nvd
CVE-2026-8350P3HIGHCVSS 8.8≤ 9.5.02026-05-21
CVE-2026-8350 [HIGH] CWE-863 CVE-2026-8350: Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php
Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group. Any authenticated user with access to the bulk user assignment dashboard page can add any user email to any group and can remove legitimate admins. The Concrete CMS security team gave this vul
nvd
CVE-2017-7725P3MEDIUMCVSS 6.1PoCv8.1.02017-04-13
CVE-2017-7725 [MEDIUM] CWE-79 CVE-2017-7725: concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator
concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options" settings. Remote attackers can make a GET request with any domain name in the Host header; this is stored and allows for arbitrary domains to be set for certain lin
nvd
CVE-2022-30117P3CRITICALCVSS 9.1fixed in 8.5.8≥ 9.0.0, < 9.1.02022-06-24
CVE-2022-30117 [CRITICAL] CWE-22 CVE-2022-30117: Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/sys
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false retur
nvd
CVE-2022-21829P3CRITICALCVSS 9.8fixed in 8.5.8≥ 9.0.0, < 9.1.02022-06-24
CVE-2022-21829 [CRITICAL] CWE-319 CVE-2022-21829: Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and e
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS
nvd
CVE-2023-48648P3CRITICALCVSS 9.8fixed in 8.5.13≥ 9.0, < 9.2.22023-11-17
CVE-2023-48648 [CRITICAL] CWE-276 CVE-2023-48648: Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can b
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 075
nvd
CVE-2021-40097P3HIGHCVSS 8.8≤ 8.5.52021-09-27
CVE-2021-40097 [HIGH] CWE-22 CVE-2021-40097: An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remo
An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.
nvd
CVE-2026-8135P3HIGHCVSS 7.2≤ 9.5.02026-05-21
CVE-2026-8135 [HIGH] CWE-502 CVE-2026-8135: Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization
Concrete CMS 9.5.0 and below is vulnerable to Remote Code Execution due to insecure deserialization occurring in the ExpressEntryList block controller. An rogue administrator with privileges to add blocks to an area can bypass the intended protection mechanism (_fromCIF === true), which normally restricts malicious inputs over form POST requests, by leve
nvd
CVE-2021-22958P3CRITICALCVSS 9.8fixed in 8.5.52021-10-07
CVE-2021-22958 [CRITICAL] CWE-918 CVE-2021-22958: A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal no
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.CVSSv2.0 AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
nvd
CVE-2026-8134P3HIGHCVSS 7.2≤ 9.5.02026-05-21
CVE-2026-8134 [HIGH] CWE-23 CVE-2026-8134: Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutS
Concrete CMS 9.5.0 and below fails to sanitize path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field when saving page type composer form layouts. An authenticated rogue administrator with composer form editing rights can exploit this to include arbitrary readable files on the server. Combined with the file uploader's extensio
nvd
CVE-2021-22966P3HIGHCVSS 8.8fixed in 8.5.72021-11-19
CVE-2021-22966 [HIGH] CWE-863 CVE-2021-22966: Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS S
nvd
CVE-2026-8421P3HIGHCVSS 8.8fixed in 9.5.12026-05-21
CVE-2026-8421 [HIGH] CWE-352 CVE-2026-8421: Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concre
Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install_package() method of concrete/controllers/single_page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under DIR_PACKAGES//, can force the installation of that packag
nvd
CVE-2026-8426P3HIGHCVSS 8.8fixed in 9.5.12026-05-21
CVE-2026-8426 [HIGH] CWE-352 CVE-2026-8426: Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/prepare_remote_upgrade/. An attacker who controls the remote package returned for a known marketplace item ID can overwrite the package PHP on disk and force its upgrade() method to execute in a single browser navigation. This results in re
nvd
CVE-2020-24986P3HIGHCVSS 7.2≤ 8.5.22020-09-04
CVE-2020-24986 [HIGH] CWE-434 CVE-2020-24986: Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.
nvd
CVE-2021-40102P3CRITICALCVSS 9.1≤ 8.5.52021-09-24
CVE-2021-40102 [CRITICAL] CWE-502 CVE-2021-40102: An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR de
An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).
nvd
CVE-2021-22968P3HIGHCVSS 7.2fixed in 8.5.72021-11-19
CVE-2021-22968 [HIGH] CWE-98 CVE-2021-22968: A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to
nvd
CVE-2020-11476P3HIGHCVSS 7.2fixed in 8.5.32020-07-28
CVE-2020-11476 [HIGH] CWE-434 CVE-2020-11476: Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.
nvd
CVE-2021-3111P4MEDIUMCVSS 4.8PoCfixed in 8.5.52021-01-08
CVE-2021-3111 [MEDIUM] CWE-79 CVE-2021-3111: The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data
The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI.
nvd
CVE-2026-3452P3HIGHCVSS 7.2fixed in 9.4.82026-03-04
CVE-2026-3452 [HIGH] CWE-502 CVE-2026-3452: Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injecti
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity check
nvd
CVE-2026-8417P3HIGHCVSS 8.8fixed in 9.5.12026-05-21
CVE-2026-8417 [HIGH] CWE-352 CVE-2026-8417: Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do_update/. The do_update() method in concrete/controllers/single_page/dashboard/extend/update.php checks only canInstallPackages() before executing upgradeCoreData() and upgrade() on the named package's controller. Because the endpoint is
nvd
1 / 8Next →