cbcvebase.

Concretecms Concrete Cms vulnerabilities

153 known vulnerabilities affecting concretecms/concrete_cms.

Total CVEs
153
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH37MEDIUM109LOW1

Vulnerabilities

Page 5 of 8
CVE-2026-8245P4MEDIUMCVSS 5.4fixed in 9.5.12026-05-21
CVE-2026-8245 [MEDIUM] CWE-83 CVE-2026-8245: Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute Concrete CMS 9.5.0 and below is vulnerable to Reflected XSS in Legacy Pagination via HTML attribute injection. Concrete\Core\Legacy\Pagination builds pagination links by raw-interpolating its $URL field into href="" (). Any authenticated admin or report viewer with access to `/dashboard/reports/forms/legacy` who clicks the crafted URL fires the payload
nvd
CVE-2022-30120P4MEDIUMCVSS 6.1fixed in 8.5.8≥ 9.0.0, < 9.1.02022-06-24
CVE-2022-30120 [MEDIUM] CWE-79 CVE-2022-30120: XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an auto
nvd
CVE-2021-40106P4MEDIUMCVSS 6.1≤ 8.5.52021-09-27
CVE-2021-40106 [MEDIUM] CWE-79 CVE-2021-40106: An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog c An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.
nvd
CVE-2023-28474P4MEDIUMCVSS 5.4fixed in 9.2.02023-04-28
CVE-2023-28474 [MEDIUM] CWE-79 CVE-2023-28474: Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Sav Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.
nvd
CVE-2022-43687P4MEDIUMCVSS 5.4fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43687 [MEDIUM] CWE-384 CVE-2022-43687: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new sess Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
nvd
CVE-2023-28471P4MEDIUMCVSS 5.4fixed in 9.2.02023-04-28
CVE-2023-28471 [MEDIUM] CWE-79 CVE-2023-28471: Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.
nvd
CVE-2022-43691P4MEDIUMCVSS 5.3fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43691 [MEDIUM] CWE-319 CVE-2022-43691: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose se Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.
nvd
CVE-2022-30118P4MEDIUMCVSS 6.1fixed in 8.5.8≥ 9.0.0, < 9.1.02022-06-24
CVE-2022-30118 [MEDIUM] CWE-79 CVE-2022-30118: Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers onl Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day we
nvd
CVE-2022-30119P4MEDIUMCVSS 6.1fixed in 8.5.8≥ 9.0.0, < 9.1.02022-06-24
CVE-2022-30119 [MEDIUM] CWE-79 CVE-2022-30119: XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS p XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechani
nvd
CVE-2023-28475P4MEDIUMCVSS 6.1fixed in 9.2.02023-04-28
CVE-2023-28475 [MEDIUM] CWE-79 CVE-2023-28475: Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vul Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.
nvd
CVE-2021-40105P4MEDIUMCVSS 6.1≤ 8.5.52021-09-27
CVE-2021-40105 [MEDIUM] CWE-79 CVE-2021-40105: An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments. An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments.
nvd
CVE-2022-43556P4MEDIUMCVSS 6.1fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-12-05
CVE-2022-43556 [MEDIUM] CWE-79 CVE-2022-43556: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in t Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Co
nvd
CVE-2022-43968P4MEDIUMCVSS 6.1fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43968 [MEDIUM] CWE-79 CVE-2022-43968: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflecte Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
nvd
CVE-2022-43967P4MEDIUMCVSS 6.1fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43967 [MEDIUM] CWE-79 CVE-2022-43967: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflecte Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
nvd
CVE-2022-43692P4MEDIUMCVSS 6.1fixed in 8.5.10≥ 9.0.0, ≤ 9.1.22022-11-14
CVE-2022-43692 [MEDIUM] CWE-79 CVE-2022-43692: Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflecte Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
nvd
CVE-2021-28145P4MEDIUMCVSS 5.4fixed in 8.5.52021-03-18
CVE-2021-28145 [MEDIUM] CWE-79 CVE-2021-28145: Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS atta Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges.
nvd
CVE-2023-44765P4MEDIUMCVSS 5.4v9.2.12023-10-06
CVE-2023-44765 [MEDIUM] CWE-79 CVE-2023-44765: A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 throug A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the Data Objects from System & Settings.
nvd
CVE-2023-44761P4MEDIUMCVSS 5.4v9.2.12023-10-06
CVE-2023-44761 [MEDIUM] CWE-79 CVE-2023-44761: Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted script to the Forms of the Data objects.
nvd
CVE-2023-28821P4MEDIUMCVSS 5.3fixed in 9.1.02023-04-28
CVE-2023-28821 [MEDIUM] CWE-640 CVE-2023-28821: Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.
nvd
CVE-2021-22949P4MEDIUMCVSS 5.4≤ 8.5.52021-09-23
CVE-2021-22949 [MEDIUM] CWE-352 CVE-2021-22949: A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"
nvd
Concretecms Concrete Cms vulnerabilities | cvebase