Concretecms

Concrete Cms

119 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
5.3

CVE-2023-28821

  • EPSS 0.2%
  • Veröffentlicht 28.04.2023 14:15:10
  • Zuletzt bearbeitet 30.01.2025 21:15:10

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

6.1

CVE-2022-43556

  • EPSS 0.96%
  • Veröffentlicht 05.12.2022 22:15:11
  • Zuletzt bearbeitet 24.04.2025 14:15:38

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector ...

4.8

CVE-2022-43688

  • EPSS 0.48%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 21.11.2024 07:27:02

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10...

5.3

CVE-2022-43689

  • EPSS 0.4%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 30.04.2025 16:15:28

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.

6.3

CVE-2022-43690

  • EPSS 0.6%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 30.04.2025 16:15:29

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this functionality. Remediate by updating to Concrete CMS 9.1.3+ o...

5.3

CVE-2022-43691

  • EPSS 0.21%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 30.04.2025 16:15:29

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when Debug Mode is left on in production.

4.8

CVE-2022-43695

  • EPSS 0.52%
  • Veröffentlicht 14.11.2022 23:15:12
  • Zuletzt bearbeitet 13.05.2025 20:15:23

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t e...

5.4

CVE-2022-43687

  • EPSS 0.4%
  • Veröffentlicht 14.11.2022 23:15:11
  • Zuletzt bearbeitet 30.04.2025 16:15:28

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.

6.5

CVE-2022-43686

  • EPSS 0.66%
  • Veröffentlicht 14.11.2022 22:15:14
  • Zuletzt bearbeitet 30.04.2025 16:15:28

In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).

6.1

CVE-2022-43967

  • EPSS 0.85%
  • Veröffentlicht 14.11.2022 22:15:14
  • Zuletzt bearbeitet 13.05.2025 20:15:23

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.