cbcvebase.

Concretecms Concrete Cms vulnerabilities

153 known vulnerabilities affecting concretecms/concrete_cms.

Total CVEs
153
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH37MEDIUM109LOW1

Vulnerabilities

Page 3 of 8
CVE-2021-22951P3HIGHCVSS 7.5fixed in 8.5.72021-11-19
CVE-2021-22951 [HIGH] CWE-639 CVE-2021-22951: Unauthorized individuals could view password protected files using view_inline in Concrete CMS (prev Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view
nvd
CVE-2021-40101P3HIGHCVSS 7.2fixed in 8.5.72021-11-30
CVE-2021-40101 [HIGH] CWE-732 CVE-2021-40101: An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be c An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.
nvd
CVE-2021-22970P3HIGHCVSS 7.5≤ 8.5.6v9.02021-11-19
CVE-2021-22970 [HIGH] CWE-918 CVE-2021-22970: Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importin Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SSRF Mitigation Bypass through DNS RebindingConcrete CMS
nvd
CVE-2021-22954P3HIGHCVSS 8.8fixed in 9.02022-02-09
CVE-2021-22954 [HIGH] CWE-352 CVE-2021-22954: A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker t A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users.
nvd
CVE-2021-40108P3HIGHCVSS 8.8fixed in 8.5.62021-09-27
CVE-2021-40108 [HIGH] CWE-352 CVE-2021-40108: An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint.
nvd
CVE-2026-7887P3MEDIUMCVSS 6.4fixed in 9.5.12026-05-21
CVE-2026-7887 [MEDIUM] CWE-1287 CVE-2026-7887: For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A us For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated employee) can still authenticate via OAuth and receive valid API tokens. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/V
nvd
CVE-2021-40104P3HIGHCVSS 7.5≤ 8.5.52021-09-27
CVE-2021-40104 [HIGH] CVE-2021-40104: An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass. An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.
nvd
CVE-2018-13790P3HIGHCVSS 7.2v8.2.02018-07-09
CVE-2018-13790 [HIGH] CWE-918 CVE-2018-13790: A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page.
nvd
CVE-2026-30662P3MEDIUMCVSS 6.5v9.4.72026-03-24
CVE-2026-30662 [MEDIUM] CWE-400 CVE-2026-30662: ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. T ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP
nvd
CVE-2021-40109P3MEDIUMCVSS 6.4fixed in 8.5.62021-09-27
CVE-2021-40109 [MEDIUM] CWE-918 CVE-2021-40109: A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of the file from the redirected-to server. Files of d
nvd
CVE-2022-43690P3MEDIUMCVSS 6.3fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43690 [MEDIUM] CWE-287 CVE-2022-43690: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict compar Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
nvd
CVE-2026-8140P3MEDIUMCVSS 6.5≤ 9.5.02026-05-21
CVE-2026-8140 [MEDIUM] CWE-352 CVE-2026-8140: Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/install/download/. The download() method in concrete/controllers/single_page/dashboard/extend/install.php checks only the canInstallPackages() permission before fetching a remote marketplace package and writing it to the server's DIR_PACKAGES di
nvd
CVE-2026-7890P4MEDIUMCVSS 6.4fixed in 9.5.12026-05-21
CVE-2026-7890 [MEDIUM] CWE-918 CVE-2026-7890: In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and In Concrete CMS 9.5.0 and below, the RSS Displayer block accepts a feed URL from any page editor and fetches it server-side without validation enabling redirect-to-internal bypasses. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with a vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N.
nvd
CVE-2026-2994P4MEDIUMCVSS 6.8fixed in 9.4.82026-03-04
CVE-2026-2994 [MEDIUM] CWE-352 CVE-2026-2994: Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam All Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/A
nvd
CVE-2026-8435P4MEDIUMCVSS 6.5≥ 9.0, < 9.5.12026-05-21
CVE-2026-8435 [MEDIUM] CWE-352 CVE-2026-8435: Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controlle Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file approveVersion(). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
nvd
CVE-2026-6826P4MEDIUMCVSS 5.3fixed in 9.5.12026-05-21
CVE-2026-6826 [MEDIUM] CWE-200 CVE-2026-6826: Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing per Concrete CMS 9.5.0 and below is vulnerable to unauthenticated file usage disclosure via missing permission check in the usage controller. Any unauthenticated visitor can request /ccm/system/dialogs/file/usage/{fID} with any file ID and receive a list of every page that references that file, including page IDs, handles, and full URLs. This includes page
nvd
CVE-2026-7879P4MEDIUMCVSS 5.3fixed in 9.5.12026-05-21
CVE-2026-7879 [MEDIUM] CWE-862 CVE-2026-7879: In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/d In Concrete CMS 9.5.0 and below, the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected fi
nvd
CVE-2026-8337P4MEDIUMCVSS 5.3fixed in 9.5.12026-05-21
CVE-2026-8337 [MEDIUM] CWE-565 CVE-2026-8337: Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have t Concrete CMS 9.5.0 and below is vulnerable to IDOR in surveys. To be vulnerable, a site would have to be configured in such a way that both public and private surveys are present on the site. An unauthenticated attacker can vote in the restricted survey by submitting the restricted optionID through the public survey’s endpoint. The Concrete CMS securi
nvd
CVE-2021-22950P4MEDIUMCVSS 6.5fixed in 8.5.62021-09-23
CVE-2021-22950 [MEDIUM] CWE-352 CVE-2021-22950: Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the convers Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"
nvd
CVE-2025-3153P4MEDIUMCVSS 6.5fixed in 8.5.20≥ 9.0, < 9.4.0+1 more2025-04-03
CVE-2025-3153 [MEDIUM] CWE-79 CVE-2025-3153: Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in th Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is pos
nvd
Concretecms Concrete Cms vulnerabilities | cvebase