Concretecms

Concrete Cms

166 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2021-22967

  • EPSS 1.11%
  • Veröffentlicht 19.11.2021 19:15:08
  • Zuletzt bearbeitet 21.11.2024 05:51:02

In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before atta...

7.2

CVE-2021-22968

Exploit
  • EPSS 3.13%
  • Veröffentlicht 19.11.2021 19:15:08
  • Zuletzt bearbeitet 21.11.2024 05:51:02

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they...

5.3

CVE-2021-22969

  • EPSS 0.83%
  • Veröffentlicht 19.11.2021 19:15:08
  • Zuletzt bearbeitet 21.11.2024 05:51:02

Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local networ...

7.5

CVE-2021-22970

  • EPSS 1.44%
  • Veröffentlicht 19.11.2021 19:15:08
  • Zuletzt bearbeitet 21.11.2024 05:51:02

Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the p...

9.8

CVE-2021-22958

  • EPSS 1.19%
  • Veröffentlicht 07.10.2021 14:15:08
  • Zuletzt bearbeitet 21.11.2024 05:51:01

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on serv...

8.8

CVE-2021-40108

  • EPSS 0.48%
  • Veröffentlicht 27.09.2021 13:15:08
  • Zuletzt bearbeitet 21.11.2024 06:23:34

An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint.

6.4

CVE-2021-40109

  • EPSS 0.52%
  • Veröffentlicht 27.09.2021 13:15:08
  • Zuletzt bearbeitet 21.11.2024 06:23:35

A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. ...

9.8

CVE-2021-40098

  • EPSS 1.57%
  • Veröffentlicht 27.09.2021 12:15:08
  • Zuletzt bearbeitet 21.11.2024 06:23:33

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression.

7.5

CVE-2021-40103

  • EPSS 1.44%
  • Veröffentlicht 27.09.2021 12:15:08
  • Zuletzt bearbeitet 21.11.2024 06:23:34

An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF.

7.5

CVE-2021-40104

  • EPSS 1.28%
  • Veröffentlicht 27.09.2021 12:15:08
  • Zuletzt bearbeitet 21.11.2024 06:23:34

An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.