Concretecms

Concrete Cms

119 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
2.3

CVE-2026-2994

  • EPSS 0.02%
  • Veröffentlicht 04.03.2026 02:18:31
  • Zuletzt bearbeitet 04.03.2026 03:16:04

Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The C...

4.8

CVE-2026-3240

  • EPSS 0.04%
  • Veröffentlicht 04.03.2026 02:15:53
  • Zuletzt bearbeitet 04.03.2026 03:16:04

In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS ...

4.8

CVE-2026-3241

  • EPSS 0.04%
  • Veröffentlicht 04.03.2026 02:12:51
  • Zuletzt bearbeitet 04.03.2026 03:16:05

In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript ...

4.8

CVE-2026-3242

  • EPSS 0.04%
  • Veröffentlicht 04.03.2026 02:00:38
  • Zuletzt bearbeitet 04.03.2026 03:16:05

In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block.  The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:...

4.8

CVE-2026-3244

  • EPSS 0.04%
  • Veröffentlicht 04.03.2026 01:55:46
  • Zuletzt bearbeitet 04.03.2026 02:15:54

In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrator...

8.9

CVE-2026-3452

  • EPSS 0.4%
  • Veröffentlicht 04.03.2026 01:49:27
  • Zuletzt bearbeitet 04.03.2026 02:15:54

Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block ...

4.8

CVE-2025-8571

  • EPSS 0.06%
  • Veröffentlicht 05.08.2025 22:37:14
  • Zuletzt bearbeitet 04.09.2025 15:54:06

Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirec...

4.8

CVE-2025-8573

  • EPSS 0.12%
  • Veröffentlicht 05.08.2025 22:36:48
  • Zuletzt bearbeitet 04.09.2025 15:54:04

Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page.  Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The ...

6.5

CVE-2025-3153

  • EPSS 0.09%
  • Veröffentlicht 03.04.2025 02:15:20
  • Zuletzt bearbeitet 04.09.2025 15:54:07

Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified.  Attackers are limited to...

3.5

CVE-2025-2972

  • EPSS 0.03%
  • Veröffentlicht 31.03.2025 03:15:14
  • Zuletzt bearbeitet 04.04.2025 01:15:40

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.