Concretecms Concrete Cms vulnerabilities
153 known vulnerabilities affecting concretecms/concrete_cms.
Total CVEs
153
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH37MEDIUM109LOW1
Vulnerabilities
Page 7 of 8
CVE-2024-1245P4MEDIUMCVSS 4.8≥ 9.0.0, < 9.2.52024-02-09
CVE-2024-1245 [MEDIUM] CWE-20 CVE-2024-1245: Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attribu
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file fo
nvd
CVE-2024-7512P4MEDIUMCVSS 4.8≥ 9.0.0, < 9.3.32024-08-12
CVE-2024-7512 [MEDIUM] CWE-20 CVE-2024-7512: Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instan
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.6 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Versions below 9 are not affected. Thanks
nvd
CVE-2024-3180P4MEDIUMCVSS 4.8fixed in 8.5.16≥ 9.0.0, < 9.2.82024-04-03
CVE-2024-3180 [MEDIUM] CWE-79 CVE-2024-3180: Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in
Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Stored XSS could be caused by a rogue administrator adding malicious code to the link-text field when creating a block of type file. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of 3.1 with a vector of AV
nvd
CVE-2024-3181P4MEDIUMCVSS 4.8fixed in 8.5.16≥ 9.0.0, < 9.2.82024-04-03
CVE-2024-3181 [MEDIUM] CWE-79 CVE-2024-3181: Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS security team gave this vulnerability a CVSS v3.1 score of
nvd
CVE-2024-3178P4MEDIUMCVSS 4.8fixed in 8.5.16≥ 9.0.0, < 9.2.82024-04-03
CVE-2024-3178 [MEDIUM] CWE-79 CVE-2024-3178: Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting
Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter. Prior to the fix, a rogue administrator could add malicious code in the file manager because of insufficient validation of administrator provided data. All administrators have access to the File Manager and henc
nvd
CVE-2024-3179P4MEDIUMCVSS 4.8fixed in 8.5.16≥ 9.0.0, < 9.2.82024-04-03
CVE-2024-3179 [MEDIUM] CWE-79 CVE-2024-3179: Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS
Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Prior to the fix, a rogue administrator could insert malicious code in the custom class field due to insufficient validation of administrator provided data. The Concrete CMS security team gave this vulnerability a CVSS
nvd
CVE-2024-2179P4MEDIUMCVSS 4.8≥ 9.0.0, < 9.2.72024-03-05
CVE-2024-2179 [MEDIUM] CWE-79 CVE-2024-2179: Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type s
Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Name field which might be executed when users visit the affected page. The Concrete CMS security team gave thi
nvd
CVE-2025-0660P4MEDIUMCVSS 4.8≥ 9.0, < 9.4.02025-03-10
CVE-2025-0660 [MEDIUM] CWE-20 CVE-2025-0660: Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add F
Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.8 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:
nvd
CVE-2024-4353P4MEDIUMCVSS 4.8≥ 9.0.0, < 9.3.32024-08-01
CVE-2024-4353 [MEDIUM] CWE-20 CVE-2024-4353: Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board
instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious
JavaScript code. The Concrete CMS security team gave this vulnerability a CVSS v4 sc
nvd
CVE-2026-3240P4MEDIUMCVSS 4.8fixed in 9.4.82026-03-04
CVE-2026-3240 [MEDIUM] CWE-79 CVE-2026-3240: In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form
In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N Thanks min
nvd
CVE-2026-3241P4MEDIUMCVSS 4.8fixed in 9.4.82026-03-04
CVE-2026-3241 [MEDIUM] CWE-79 CVE-2026-3241: In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the
In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a multiple-choice question (Checkbox List, Radio Buttons, or Select Box). Th
nvd
CVE-2026-3244P4MEDIUMCVSS 4.8fixed in 9.4.82026-03-04
CVE-2026-3244 [MEDIUM] CWE-79 CVE-2026-3244: In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the
In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScript through page names that executes when users search for and view those p
nvd
CVE-2026-8347P4MEDIUMCVSS 4.3fixed in 9.5.12026-05-22
CVE-2026-8347 [MEDIUM] CWE-639 CVE-2026-8347: Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express associ
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a
nvd
CVE-2023-48650P4MEDIUMCVSS 4.8fixed in 8.5.14≥ 9.0.0, < 9.2.32024-02-29
CVE-2023-48650 [MEDIUM] CWE-79 CVE-2023-48650: Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload
Concrete CMS before 8.5.14 and 9 before 9.2.3 is vulnerable to an admin adding a stored XSS payload via the Layout Preset name.
nvd
CVE-2024-1246P4MEDIUMCVSS 4.8≥ 9.0.0, < 9.2.52024-02-09
CVE-2024-1246 [MEDIUM] CWE-20 CVE-2024-1246: Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Featu
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored
nvd
CVE-2024-8661P4MEDIUMCVSS 4.8fixed in 8.5.19≥ 9.0, < 9.3.42024-09-16
CVE-2024-8661 [MEDIUM] CWE-79 CVE-2024-8661: Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Prev
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CVSS v4 score of 4.6 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/
nvd
CVE-2024-2753P4MEDIUMCVSS 4.8fixed in 8.5.16≥ 9.0.0, < 9.2.82024-04-03
CVE-2024-2753 [MEDIUM] CWE-79 CVE-2024-2753: Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XS
Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without escaping. A rogue administrator could inject malicious javascript into the Calendar Color Settings screen which might be executed when users visit the affected
nvd
CVE-2024-8660P4MEDIUMCVSS 4.8≥ 9.0.0, < 9.3.42024-09-17
CVE-2024-8660 [MEDIUM] CWE-79 CVE-2024-8660: Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Nav
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a
stored XSS vulnerability in the "Top Navigator Bar" block.
Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the home page.The Concrete CMS Security Team gave this vulnerab
nvd
CVE-2026-3242P4MEDIUMCVSS 4.8fixed in 9.4.82026-03-04
CVE-2026-3242 [MEDIUM] CWE-79 CVE-2026-3242: In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Languag
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3dium for reporting.
nvd
CVE-2026-7882P4MEDIUMCVSS 4.3fixed in 9.5.12026-05-21
CVE-2026-7882 [MEDIUM] CWE-352 CVE-2026-7882: Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF to
Concrete CMS 9.5.0 and below is vulnerable to unauthorized file deletion due to an Inverted CSRF token check in the DeleteFile controller. The code throws an error when the token IS valid and proceeds with file deletion when the token is invalid or missing. This effectively disables CSRF protection for the file deletion endpoint, allowing cross-site re
nvd