Total
87 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-21829 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520. | |||||
CVE-2021-40109 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.5 MEDIUM | 6.4 MEDIUM |
A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of the file from the redirected-to server. Files of disallowed types can be uploaded. | |||||
CVE-2021-40108 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint. | |||||
CVE-2021-40106 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field. | |||||
CVE-2021-40105 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments. | |||||
CVE-2021-40104 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass. | |||||
CVE-2021-40103 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF. | |||||
CVE-2021-40102 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method). | |||||
CVE-2021-40101 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password. | |||||
CVE-2021-40100 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text. | |||||
CVE-2021-40099 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution. | |||||
CVE-2021-40098 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression. | |||||
CVE-2021-40097 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter. | |||||
CVE-2021-3111 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI. | |||||
CVE-2021-36766 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/single_page/dashboard/system/environment/logging.php Logging::update_logging() method. User input passed through the logFile request parameter is not properly sanitized before being used in a call to the file_exists() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope (PHP Object Injection via phar:// stream wrapper), allowing them to carry out a variety of attacks, such as executing arbitrary PHP code. | |||||
CVE-2021-28145 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges. | |||||
CVE-2021-22970 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SSRF Mitigation Bypass through DNS RebindingConcrete CMS security team gave this a CVSS score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:NConcrete CMS is maintaining Concrete version 8.5.x until 1 May 2022 for security fixes.This CVE is shared with HackerOne Reports https://hackerone.com/reports/1364797 and https://hackerone.com/reports/1360016Reporters: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and Bipul Jaiswal | |||||
CVE-2021-22969 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices.This fix is also in Concrete version 9.0.0 | |||||
CVE-2021-22968 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0 | |||||
CVE-2021-22967 | 1 Concretecms | 1 Concrete Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit message”.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H |