Concretecms

Concrete Cms

166 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2022-43689

  • EPSS 0.65%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 30.04.2025 16:15:28

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.

6.3

CVE-2022-43690

  • EPSS 0.59%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 30.04.2025 16:15:29

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ o...

5.3

CVE-2022-43691

  • EPSS 0.44%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 30.04.2025 16:15:29

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

4.8

CVE-2022-43695

  • EPSS 0.6%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 13.05.2025 20:15:23

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t e...

5.4

CVE-2022-43687

  • EPSS 0.58%
  • Veröffentlicht 14.11.2022 23:15:11
  • Zuletzt bearbeitet 30.04.2025 16:15:28

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.5

CVE-2022-43686

  • EPSS 0.99%
  • Veröffentlicht 14.11.2022 22:15:14
  • Zuletzt bearbeitet 30.04.2025 16:15:28

In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).

6.1

CVE-2022-43967

  • EPSS 0.59%
  • Veröffentlicht 14.11.2022 22:15:14
  • Zuletzt bearbeitet 13.05.2025 20:15:23

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.1

CVE-2022-43968

  • EPSS 0.59%
  • Veröffentlicht 14.11.2022 22:15:14
  • Zuletzt bearbeitet 13.05.2025 20:15:24

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.1

CVE-2022-43694

  • EPSS 0.59%
  • Veröffentlicht 14.11.2022 19:15:24
  • Zuletzt bearbeitet 30.04.2025 15:15:58

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.

6.1

CVE-2022-43692

  • EPSS 0.59%
  • Veröffentlicht 14.11.2022 19:15:14
  • Zuletzt bearbeitet 30.04.2025 16:15:29

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS prote...