Concrete Cms
Monthly
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
CSRF vulnerability in Concrete CMS 9.x before 9.5.0 allows a network-based attacker to trigger unauthorized log deletion by tricking an authenticated user into visiting a crafted page that silently issues a forged request to the concrete/controllers/dialog/logs/delete endpoint. The Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting low integrity impact and the presence of attack prerequisites. No public exploit code has been identified and it is not listed in the CISA KEV catalog.
Stored XSS in Concrete CMS 9.5.0 and below allows a high-privileged authenticated attacker to inject malicious scripts via the cvName parameter of external-link pages, exploiting a sanitization bypass in the updateCollectionAliasExternal function. The injected payload is persisted server-side and executes in the browser of any user who subsequently views the affected page within the CMS backend. The vendor-assigned CVSS v4.0 score of 2.0 reflects constrained real-world impact: exploitation requires admin-level credentials, prerequisite attack conditions (AT:P), and passive victim interaction, with no public exploit identified at time of analysis.
Cross-Site Request Forgery in Concrete CMS 9.x allows an unauthenticated remote attacker to delete application logs on behalf of an authenticated victim by tricking them into visiting a malicious page. The vulnerable endpoint is concrete/controllers/dialog/logs/bulk/delete, and exploitation results in low-integrity impact - specifically, destruction of audit log data. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS v4.0 score of 2.3 reflects the combination of required user interaction and the presence of attack prerequisites.
Cross-Site Request Forgery in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger bulk page deletion by tricking an authenticated user into visiting a malicious web page. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/delete, and exploitation results in low-integrity impact against the vulnerable system. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the prerequisite of passive victim interaction and the constrained impact.
Cross-Site Request Forgery in Concrete CMS 9 allows a remote unauthenticated attacker to trigger unauthorized bulk cache operations against authenticated CMS users. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/cache, which fails to validate request origin, enabling an attacker to manipulate page cache state by deceiving a logged-in user into loading a crafted page. No public exploit or active exploitation has been identified; the Concrete CMS security team rated this CVSS v4.0 2.3 (Low), reflecting limited integrity impact and the prerequisite of user interaction.
Cross-Site Request Forgery in Concrete CMS 9.x exposes the bulk page design dialog endpoint (concrete/controllers/dialog/page/bulk/design) to forged requests, allowing a network-accessible attacker to manipulate page design settings on behalf of an authenticated user who visits a malicious link. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3 (Low), reflecting that exploitation requires specific attack prerequisites (AT:P) and user interaction (UI:P), with impact limited to low-severity integrity modifications on the vulnerable system. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-site request forgery in Concrete CMS 9.x before 9.5.0 permits a remote unauthenticated attacker to trigger unauthorized event duplication on behalf of an authenticated user by luring that user to an attacker-controlled page. The vulnerable endpoint is `concrete/controllers/dialog/event/duplicate`, which lacks CSRF token validation. The vendor-assigned CVSS v4.0 score of 2.3 reflects genuinely low impact - limited to a low-integrity effect on the vulnerable system - and no public exploit code or CISA KEV listing has been identified at the time of analysis.
Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to trigger unauthorized reordering of Express Object associations by tricking an authenticated user into visiting a crafted page. The vulnerability targets the endpoint concrete/controllers/dialog/express/association/reorder, with impact limited to low-severity integrity modification of the vulnerable system only. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the combination of required user interaction, specific prerequisite conditions (AT:P), and limited data impact.
Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to forge state-changing requests against the file manager's addFavoriteFolder endpoint on behalf of an authenticated victim. Exploitation results in low-integrity impact - specifically unauthorized modification of a victim's favorite folder state - without any confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the passive user interaction requirement and constrained impact scope.
Cross-Site Request Forgery in Concrete CMS 9.x (versions prior to 9.5.0) allows a remote attacker to trigger the removeFavoriteFolder action on behalf of an authenticated CMS user by tricking them into visiting a malicious page. The affected endpoint is concrete/controllers/backend/file and the impact is limited to low-integrity modification - removal of a favorite folder. No public exploit has been identified and this vulnerability is not confirmed as actively exploited (CISA KEV). The CVSS 4.0 score of 2.3 accurately reflects the constrained, low-impact nature of the flaw.
Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x before 9.5.1 allows a remote unauthenticated attacker to trigger unauthorized file-starring actions on behalf of an authenticated victim by luring them to a malicious page. The vulnerable endpoint is concrete/controllers/backend/file/star(), and successful exploitation results in a low-integrity modification of file bookmark state within the CMS. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting its narrow, low-impact scope.
CSRF vulnerability in Concrete CMS 9.x exposes the backend file rescan controller at concrete/controllers/backend/file to unauthorized state-changing requests. Affecting versions 9.0 through 9.4.x (patched in 9.5.1), an unauthenticated remote attacker can trigger unintended file rescan operations against an authenticated victim's session by luring them to a malicious page. Rated CVSS v4.0 at 2.3 - limited to low integrity impact with no confidentiality or availability consequence - and no public exploit identified at time of analysis.
Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger unauthorized file rescanning via the rescanMultiple() function in the backend file controller, provided a logged-in user can be lured to interact with an attacker-crafted page. The integrity impact is limited to the vulnerable component, with no confidentiality or availability consequence. No public exploit or active exploitation has been identified; the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the low real-world impact and the prerequisite of user interaction and specific attack conditions.
Cross-Site Request Forgery in Concrete CMS versions 9.0 through 9.5.0 exposes the approveVersion() backend file management endpoint to forged requests, allowing an unauthenticated remote attacker to manipulate file version approval state on behalf of an authenticated victim. The vendor's own CVSS v4.0 scoring assigns a 2.3 (Very Low) severity, reflecting the constrained impact - limited to low integrity change within the vulnerable component with no confidentiality or availability consequence. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, positioning this as a low-priority but legitimately tracked integrity weakness in CMS file workflows.
OAuth 2.0 Authorization Code handler in Concrete CMS 9.5.0 and earlier fails to enforce account status checks, allowing users with suspended, banned, or terminated accounts (uIsActive=0) to complete OAuth flows and receive valid API tokens. Deployments using OAuth 2.0 as an authentication mechanism are affected, with the primary real-world impact being unauthorized continued access by deprovisioned users - such as terminated employees or revoked contractors - who retain OAuth credentials. With a CVSS v4.0 score of 2.3, no CISA KEV listing, and no public exploit identified at time of analysis, this is a low-severity issue with narrow scope but meaningful identity governance implications for organizations relying on CMS-level account suspension as a deprovisioning control.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and below allows authenticated users with conversation posting rights to bypass the file permission system and reference arbitrary files from the CMS file manager. The AddMessage and UpdateMessage conversation controllers accept user-supplied integer attachment IDs and load file objects directly via the ORM without invoking the canViewFile() permission check, enabling unauthorized read and limited write access to files across the system. No public exploit code has been identified at time of analysis, and the ConcreteCMS security team assessed this as a low-severity issue (CVSS 4.0: 2.3), but sites storing sensitive private files are at meaningful risk if those files are served from within the webroot.
Unauthorized file deletion is possible in Concrete CMS 9.5.0 and below due to an inverted CSRF token validation logic in the DeleteFile controller, where the protection mechanism operates in reverse - rejecting legitimate requests and approving forged ones. A remote unauthenticated attacker (PR:N per CVSS v4.0) can craft a cross-site request forgery attack that deletes files on behalf of any victim authenticated with conversation message editing privileges. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; the vendor-assigned CVSS v4.0 score of 2.3 reflects the constrained real-world impact given the required victim privilege level and mandatory user interaction.
Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.
Cross-calendar data disclosure in Concrete CMS 9.5.0 and below exposes private calendar event data to unauthenticated remote attackers via an authorization bypass (CWE-639) in the Calendar Event Frontend Dialog. A publicly accessible calendar block serves as a required pivot point, allowing attackers to reference and retrieve event data from private calendars within the same installation. No public exploit has been identified at time of analysis; the vendor assigned a CVSS 4.0 score of 6.3, reflecting constrained confidentiality impact and a prerequisite attack condition (AT:P).
Stored cross-site scripting in Concrete CMS 9.5.0 and earlier allows authenticated editors to inject persistent JavaScript via the unvalidated 'height' parameter, executing in any subsequent visitor's browser. The CVSS 4.0 score of 7.3 reflects high privilege requirements (editor role) combined with high impact, and no public exploit identified at time of analysis.
{fID}` lacks a permission check, returning page IDs, URL handles, and full URLs for every page referencing a given file - including pages explicitly restricted by CMS access controls. No public exploit identified at time of analysis, but the CVSS:4.0 AV:N/AC:L/AT:N/PR:N/UI:N vector confirms trivial, unauthenticated network exploitation with no complexity barrier.
Concrete CMS versions below 9.5.0 expose authenticated users to two related privilege-abuse primitives via a mass assignment flaw: password replacement without the current password, and disabling per-user IP-pinning that guards against session hijacking. The user-profile edit controller forwards the entire raw POST body to UserInfo::update() with no field whitelist, allowing any registered user to inject arbitrary model attributes - including the password field and session-security settings - into their own profile update. No public exploit code has been identified at time of analysis, but the attack is low-complexity and network-accessible for any authenticated user.
Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Insecure Direct Object Reference (IDOR) in Concrete CMS versions up to and including 9.5.0 enables unauthenticated remote attackers to cast fraudulent votes in restricted private surveys by submitting a private survey's optionID through the publicly accessible voting endpoint. The vulnerability is configuration-dependent - exploitation requires the target site to simultaneously host both public and private surveys - which the CVSS v4.0 vector encodes as AT:P (Attack Requirements: Present), moderately lowering the practical risk surface compared to a universally exploitable flaw. No public exploit code or active exploitation has been identified at time of analysis. Impact is limited to integrity: survey result manipulation with no confidentiality or availability consequence.
Unauthenticated page metadata disclosure in Concrete CMS 9.5.0 and below exposes private, draft, and restricted page details - including title, URL path, description, and author - to any remote attacker on sites with summary templates configured. The flaw stems from improper access control (CWE-284) where the summary template rendering pipeline bypasses page visibility restrictions entirely, making sensitive page structure visible without any credential. No active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis; the CVSS v4.0 score of 6.3 with AT:P reflects that exploitation depends on a non-universal template configuration being present.
Unauthorized access to all Express form submissions is possible in Concrete CMS 9.5.0 and below through an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block, exploitable by unauthenticated remote attackers who manipulate the exEntryID parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation, though the AT:P metric indicates a specific deployment precondition - the Express Entry Detail block must be in active use. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in the 9.5.1 release.
Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier exposes the full content of any conversation message through an unauthenticated frontend API endpoint, including messages from restricted pages, member-only areas, and the moderation queue. Unauthenticated remote attackers can enumerate message records and harvest file attachment download URLs by querying `/ccm/frontend/conversations/message_page` without credentials. No public exploit code has been identified and no CISA KEV listing exists; however, the network-accessible unauthenticated attack vector (PR:N, AV:N) makes patching a priority for any public-facing installation using the Conversations feature.
Unauthenticated information disclosure in Concrete CMS 9.5.0 and earlier allows remote attackers to enumerate all conversation messages - including content from restricted pages, member-only areas, and the moderation queue - by exploiting a missing authorization check on the `/ccm/frontend/conversations/message_detail` endpoint. File attachment download URLs are also exposed, compounding the data leakage risk. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the attack requires no credentials and no user interaction, making bulk enumeration trivial once the conversations feature is confirmed active.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier allows unauthenticated remote attackers to enumerate arbitrary conversation message IDs via the `/ccm/frontend/conversations/get_rating` endpoint, confirming message existence and leaking rating scores. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L) indicates no authentication is required but a prerequisite condition must be met - likely the Conversations module being enabled and publicly reachable. No public exploit has been identified and this CVE is not listed in CISA KEV, placing it in the low-priority tier despite its network-accessible nature.
{fID} endpoint without any credentials. The flaw combines CWE-862 (Missing Authorization) with a classic IDOR pattern on an integer file ID parameter, and is scored CVSS 4.0 at 6.3 (Medium) by the vendor with PR:N and AC:L, though the AT:P metric indicates that valid file IDs must exist for meaningful data to be returned. No public exploit code and no CISA KEV listing exist at time of analysis.
Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated administrators to inject malicious scripts through the Switch Language block, affecting any site where a rogue admin account exists. Public exploit code is available for this vulnerability. A patch is available in version 9.4.8 and later.
Stored XSS in Concrete CMS Legacy Form block below version 9.4.8 allows authenticated users with form creation permissions to inject malicious JavaScript into multiple-choice question options, which executes for all users viewing the affected form. Public exploit code exists for this vulnerability. Administrators should upgrade to version 9.4.8 or later to remediate the risk of session hijacking and data theft.
Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated users with page editing permissions to inject malicious scripts through the Legacy form Question field, targeting high-privilege accounts. Public exploit code exists for this vulnerability, which requires user interaction to execute. A patch is available in version 9.4.8 and later.
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Configuration that allows authenticated administrators to modify security settings without valid CSRF token validation. An attacker with administrative privileges can exploit this to bypass security controls by manipulating the group_id parameter before token verification occurs. Public exploit code exists for this vulnerability, and a patch is available.
Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.
Concrete CMS versions below 9.4.8 contain a stored XSS vulnerability in the search block where unencoded page names and content are rendered in search results, allowing authenticated administrators to inject malicious JavaScript that executes for other users. Public exploit code exists for this vulnerability, which requires high privileges and user interaction to exploit. The vulnerability affects confidentiality and integrity but not availability.
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity.
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO &. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. Rated low severity (CVSS 3.3), this vulnerability is remotely exploitable. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.
Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicious actions performed on behalf of users, and potential privilege escalation. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Yonatan Drori (Tenzai) for reporting.
Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
Concrete CMS 9.5.0 and below is vulnerable to CSRF via Backend\File::approveVersion. Victim with edit_file_contents permission is CSRF'd into publishing an attacker-chosen previously-uploaded version (downgrade to an older version of a file, or activation of a co-editor's unpublished version). The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.3 with vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Winston Crooker for reporting.
CSRF vulnerability in Concrete CMS 9.x before 9.5.0 allows a network-based attacker to trigger unauthorized log deletion by tricking an authenticated user into visiting a crafted page that silently issues a forged request to the concrete/controllers/dialog/logs/delete endpoint. The Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting low integrity impact and the presence of attack prerequisites. No public exploit code has been identified and it is not listed in the CISA KEV catalog.
Stored XSS in Concrete CMS 9.5.0 and below allows a high-privileged authenticated attacker to inject malicious scripts via the cvName parameter of external-link pages, exploiting a sanitization bypass in the updateCollectionAliasExternal function. The injected payload is persisted server-side and executes in the browser of any user who subsequently views the affected page within the CMS backend. The vendor-assigned CVSS v4.0 score of 2.0 reflects constrained real-world impact: exploitation requires admin-level credentials, prerequisite attack conditions (AT:P), and passive victim interaction, with no public exploit identified at time of analysis.
Cross-Site Request Forgery in Concrete CMS 9.x allows an unauthenticated remote attacker to delete application logs on behalf of an authenticated victim by tricking them into visiting a malicious page. The vulnerable endpoint is concrete/controllers/dialog/logs/bulk/delete, and exploitation results in low-integrity impact - specifically, destruction of audit log data. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS v4.0 score of 2.3 reflects the combination of required user interaction and the presence of attack prerequisites.
Cross-Site Request Forgery in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger bulk page deletion by tricking an authenticated user into visiting a malicious web page. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/delete, and exploitation results in low-integrity impact against the vulnerable system. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the prerequisite of passive victim interaction and the constrained impact.
Cross-Site Request Forgery in Concrete CMS 9 allows a remote unauthenticated attacker to trigger unauthorized bulk cache operations against authenticated CMS users. The vulnerable endpoint is concrete/controllers/dialog/page/bulk/cache, which fails to validate request origin, enabling an attacker to manipulate page cache state by deceiving a logged-in user into loading a crafted page. No public exploit or active exploitation has been identified; the Concrete CMS security team rated this CVSS v4.0 2.3 (Low), reflecting limited integrity impact and the prerequisite of user interaction.
Cross-Site Request Forgery in Concrete CMS 9.x exposes the bulk page design dialog endpoint (concrete/controllers/dialog/page/bulk/design) to forged requests, allowing a network-accessible attacker to manipulate page design settings on behalf of an authenticated user who visits a malicious link. The Concrete CMS security team assigned a CVSS v4.0 score of 2.3 (Low), reflecting that exploitation requires specific attack prerequisites (AT:P) and user interaction (UI:P), with impact limited to low-severity integrity modifications on the vulnerable system. No public exploit identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.
Cross-site request forgery in Concrete CMS 9.x before 9.5.0 permits a remote unauthenticated attacker to trigger unauthorized event duplication on behalf of an authenticated user by luring that user to an attacker-controlled page. The vulnerable endpoint is `concrete/controllers/dialog/event/duplicate`, which lacks CSRF token validation. The vendor-assigned CVSS v4.0 score of 2.3 reflects genuinely low impact - limited to a low-integrity effect on the vulnerable system - and no public exploit code or CISA KEV listing has been identified at the time of analysis.
Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to trigger unauthorized reordering of Express Object associations by tricking an authenticated user into visiting a crafted page. The vulnerability targets the endpoint concrete/controllers/dialog/express/association/reorder, with impact limited to low-severity integrity modification of the vulnerable system only. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the combination of required user interaction, specific prerequisite conditions (AT:P), and limited data impact.
Cross-Site Request Forgery in Concrete CMS 9.x allows a remote unauthenticated attacker to forge state-changing requests against the file manager's addFavoriteFolder endpoint on behalf of an authenticated victim. Exploitation results in low-integrity impact - specifically unauthorized modification of a victim's favorite folder state - without any confidentiality or availability consequences. No public exploit has been identified at time of analysis, and the low CVSS v4.0 score of 2.3 reflects the passive user interaction requirement and constrained impact scope.
Cross-Site Request Forgery in Concrete CMS 9.x (versions prior to 9.5.0) allows a remote attacker to trigger the removeFavoriteFolder action on behalf of an authenticated CMS user by tricking them into visiting a malicious page. The affected endpoint is concrete/controllers/backend/file and the impact is limited to low-integrity modification - removal of a favorite folder. No public exploit has been identified and this vulnerability is not confirmed as actively exploited (CISA KEV). The CVSS 4.0 score of 2.3 accurately reflects the constrained, low-impact nature of the flaw.
Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x before 9.5.1 allows a remote unauthenticated attacker to trigger unauthorized file-starring actions on behalf of an authenticated victim by luring them to a malicious page. The vulnerable endpoint is concrete/controllers/backend/file/star(), and successful exploitation results in a low-integrity modification of file bookmark state within the CMS. No public exploit code has been identified at time of analysis, and the Concrete CMS security team assigned this a CVSS v4.0 score of 2.3, reflecting its narrow, low-impact scope.
CSRF vulnerability in Concrete CMS 9.x exposes the backend file rescan controller at concrete/controllers/backend/file to unauthorized state-changing requests. Affecting versions 9.0 through 9.4.x (patched in 9.5.1), an unauthenticated remote attacker can trigger unintended file rescan operations against an authenticated victim's session by luring them to a malicious page. Rated CVSS v4.0 at 2.3 - limited to low integrity impact with no confidentiality or availability consequence - and no public exploit identified at time of analysis.
Cross-Site Request Forgery (CSRF) in Concrete CMS 9.x through 9.5.0 allows a remote unauthenticated attacker to trigger unauthorized file rescanning via the rescanMultiple() function in the backend file controller, provided a logged-in user can be lured to interact with an attacker-crafted page. The integrity impact is limited to the vulnerable component, with no confidentiality or availability consequence. No public exploit or active exploitation has been identified; the Concrete CMS security team assigned a CVSS v4.0 score of 2.3, reflecting the low real-world impact and the prerequisite of user interaction and specific attack conditions.
Cross-Site Request Forgery in Concrete CMS versions 9.0 through 9.5.0 exposes the approveVersion() backend file management endpoint to forged requests, allowing an unauthenticated remote attacker to manipulate file version approval state on behalf of an authenticated victim. The vendor's own CVSS v4.0 scoring assigns a 2.3 (Very Low) severity, reflecting the constrained impact - limited to low integrity change within the vulnerable component with no confidentiality or availability consequence. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, positioning this as a low-priority but legitimately tracked integrity weakness in CMS file workflows.
OAuth 2.0 Authorization Code handler in Concrete CMS 9.5.0 and earlier fails to enforce account status checks, allowing users with suspended, banned, or terminated accounts (uIsActive=0) to complete OAuth flows and receive valid API tokens. Deployments using OAuth 2.0 as an authentication mechanism are affected, with the primary real-world impact being unauthorized continued access by deprovisioned users - such as terminated employees or revoked contractors - who retain OAuth credentials. With a CVSS v4.0 score of 2.3, no CISA KEV listing, and no public exploit identified at time of analysis, this is a low-severity issue with narrow scope but meaningful identity governance implications for organizations relying on CMS-level account suspension as a deprovisioning control.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and below allows authenticated users with conversation posting rights to bypass the file permission system and reference arbitrary files from the CMS file manager. The AddMessage and UpdateMessage conversation controllers accept user-supplied integer attachment IDs and load file objects directly via the ORM without invoking the canViewFile() permission check, enabling unauthorized read and limited write access to files across the system. No public exploit code has been identified at time of analysis, and the ConcreteCMS security team assessed this as a low-severity issue (CVSS 4.0: 2.3), but sites storing sensitive private files are at meaningful risk if those files are served from within the webroot.
Unauthorized file deletion is possible in Concrete CMS 9.5.0 and below due to an inverted CSRF token validation logic in the DeleteFile controller, where the protection mechanism operates in reverse - rejecting legitimate requests and approving forged ones. A remote unauthenticated attacker (PR:N per CVSS v4.0) can craft a cross-site request forgery attack that deletes files on behalf of any victim authenticated with conversation message editing privileges. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV; the vendor-assigned CVSS v4.0 score of 2.3 reflects the constrained real-world impact given the required victim privilege level and mandatory user interaction.
Unauthorized disclosure of restricted calendar event details in Concrete CMS 9.5.0 and below stems from a missing authorization check in the Calendar Block's action_get_events handler, which never invokes canView on the target calendar before returning event data. Unauthenticated remote attackers who can reach the endpoint can retrieve event information that site administrators have explicitly restricted, provided a Calendar Block with access-controlled events is deployed. No public exploit code exists and the vulnerability is absent from the CISA KEV catalog; however, the network-accessible, zero-authentication nature of the endpoint lowers the bar for casual enumeration of restricted scheduling data.
Cross-calendar data disclosure in Concrete CMS 9.5.0 and below exposes private calendar event data to unauthenticated remote attackers via an authorization bypass (CWE-639) in the Calendar Event Frontend Dialog. A publicly accessible calendar block serves as a required pivot point, allowing attackers to reference and retrieve event data from private calendars within the same installation. No public exploit has been identified at time of analysis; the vendor assigned a CVSS 4.0 score of 6.3, reflecting constrained confidentiality impact and a prerequisite attack condition (AT:P).
Stored cross-site scripting in Concrete CMS 9.5.0 and earlier allows authenticated editors to inject persistent JavaScript via the unvalidated 'height' parameter, executing in any subsequent visitor's browser. The CVSS 4.0 score of 7.3 reflects high privilege requirements (editor role) combined with high impact, and no public exploit identified at time of analysis.
{fID}` lacks a permission check, returning page IDs, URL handles, and full URLs for every page referencing a given file - including pages explicitly restricted by CMS access controls. No public exploit identified at time of analysis, but the CVSS:4.0 AV:N/AC:L/AT:N/PR:N/UI:N vector confirms trivial, unauthenticated network exploitation with no complexity barrier.
Concrete CMS versions below 9.5.0 expose authenticated users to two related privilege-abuse primitives via a mass assignment flaw: password replacement without the current password, and disabling per-user IP-pinning that guards against session hijacking. The user-profile edit controller forwards the entire raw POST body to UserInfo::update() with no field whitelist, allowing any registered user to inject arbitrary model attributes - including the password field and session-security settings - into their own profile update. No public exploit code has been identified at time of analysis, but the attack is low-complexity and network-accessible for any authenticated user.
Reflected XSS in Concrete CMS 9.5.0 and below allows a remote unauthenticated attacker to inject and execute arbitrary JavaScript in the browser of an authenticated admin or report viewer who clicks a crafted URL targeting the legacy form reports dashboard. The vulnerable component, Concrete\Core\Legacy\Pagination, raw-interpolates a user-controlled URL value directly into an HTML href attribute, enabling attribute injection per CWE-83. With a CVSS 4.0 score of 6.0 and high confidentiality impact (VC:H) on the vulnerable system, successful exploitation can lead to session token theft; no public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV.
Insecure Direct Object Reference (IDOR) in Concrete CMS versions up to and including 9.5.0 enables unauthenticated remote attackers to cast fraudulent votes in restricted private surveys by submitting a private survey's optionID through the publicly accessible voting endpoint. The vulnerability is configuration-dependent - exploitation requires the target site to simultaneously host both public and private surveys - which the CVSS v4.0 vector encodes as AT:P (Attack Requirements: Present), moderately lowering the practical risk surface compared to a universally exploitable flaw. No public exploit code or active exploitation has been identified at time of analysis. Impact is limited to integrity: survey result manipulation with no confidentiality or availability consequence.
Unauthenticated page metadata disclosure in Concrete CMS 9.5.0 and below exposes private, draft, and restricted page details - including title, URL path, description, and author - to any remote attacker on sites with summary templates configured. The flaw stems from improper access control (CWE-284) where the summary template rendering pipeline bypasses page visibility restrictions entirely, making sensitive page structure visible without any credential. No active exploitation (CISA KEV) and no public exploit code have been identified at time of analysis; the CVSS v4.0 score of 6.3 with AT:P reflects that exploitation depends on a non-universal template configuration being present.
Unauthorized access to all Express form submissions is possible in Concrete CMS 9.5.0 and below through an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block, exploitable by unauthenticated remote attackers who manipulate the exEntryID parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N) confirms network-accessible, unauthenticated exploitation, though the AT:P metric indicates a specific deployment precondition - the Express Entry Detail block must be in active use. No public exploit or CISA KEV listing has been identified at time of analysis; a vendor-released patch is available in the 9.5.1 release.
Unauthorized file download in Concrete CMS 9.5.0 and below exposes permission-restricted files via a broken authorization check in the file download controller. The submit_password() method in download_file.php processes file access without enforcing the view_file permission gate, producing two exploitable paths: any unauthenticated network actor can retrieve files that carry no password protection, and any actor who possesses a file's password can retrieve that file regardless of whether their account holds view_file permission. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier exposes the full content of any conversation message through an unauthenticated frontend API endpoint, including messages from restricted pages, member-only areas, and the moderation queue. Unauthenticated remote attackers can enumerate message records and harvest file attachment download URLs by querying `/ccm/frontend/conversations/message_page` without credentials. No public exploit code has been identified and no CISA KEV listing exists; however, the network-accessible unauthenticated attack vector (PR:N, AV:N) makes patching a priority for any public-facing installation using the Conversations feature.
Unauthenticated information disclosure in Concrete CMS 9.5.0 and earlier allows remote attackers to enumerate all conversation messages - including content from restricted pages, member-only areas, and the moderation queue - by exploiting a missing authorization check on the `/ccm/frontend/conversations/message_detail` endpoint. File attachment download URLs are also exposed, compounding the data leakage risk. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the attack requires no credentials and no user interaction, making bulk enumeration trivial once the conversations feature is confirmed active.
Insecure Direct Object Reference (IDOR) in Concrete CMS 9.5.0 and earlier allows unauthenticated remote attackers to enumerate arbitrary conversation message IDs via the `/ccm/frontend/conversations/get_rating` endpoint, confirming message existence and leaking rating scores. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L) indicates no authentication is required but a prerequisite condition must be met - likely the Conversations module being enabled and publicly reachable. No public exploit has been identified and this CVE is not listed in CISA KEV, placing it in the low-priority tier despite its network-accessible nature.
{fID} endpoint without any credentials. The flaw combines CWE-862 (Missing Authorization) with a classic IDOR pattern on an integer file ID parameter, and is scored CVSS 4.0 at 6.3 (Medium) by the vendor with PR:N and AC:L, though the AT:P metric indicates that valid file IDs must exist for meaningful data to be returned. No public exploit code and no CISA KEV listing exist at time of analysis.
Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated administrators to inject malicious scripts through the Switch Language block, affecting any site where a rogue admin account exists. Public exploit code is available for this vulnerability. A patch is available in version 9.4.8 and later.
Stored XSS in Concrete CMS Legacy Form block below version 9.4.8 allows authenticated users with form creation permissions to inject malicious JavaScript into multiple-choice question options, which executes for all users viewing the affected form. Public exploit code exists for this vulnerability. Administrators should upgrade to version 9.4.8 or later to remediate the risk of session hijacking and data theft.
Stored XSS in Concrete CMS versions before 9.4.8 allows authenticated users with page editing permissions to inject malicious scripts through the Legacy form Question field, targeting high-privilege accounts. Public exploit code exists for this vulnerability, which requires user interaction to execute. A patch is available in version 9.4.8 and later.
Concrete CMS versions below 9.4.8 contain a cross-site request forgery vulnerability in the Anti-Spam Allowlist Group Configuration that allows authenticated administrators to modify security settings without valid CSRF token validation. An attacker with administrative privileges can exploit this to bypass security controls by manipulating the group_id parameter before token verification occurs. Public exploit code exists for this vulnerability, and a patch is available.
Remote code execution in Concrete CMS prior to version 9.4.8 stems from unsafe deserialization of PHP objects in the Express Entry List block configuration. An authenticated administrator can inject malicious serialized data through the columns parameter that executes arbitrary code when unserialized without validation. This allows attackers with admin privileges to achieve complete system compromise through stored object injection attacks.
Concrete CMS versions below 9.4.8 contain a stored XSS vulnerability in the search block where unencoded page names and content are rendered in search results, allowing authenticated administrators to inject malicious JavaScript that executes for other users. Public exploit code exists for this vulnerability, which requires high privileges and user interaction to exploit. The vulnerability affects confidentiality and integrity but not availability.
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Rated low severity (CVSS 2.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity.
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 below 9.2.8 and previous versions below 8.5.16 is vulnerable to Stored XSS in blocks of type file. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.8 and previous versions before 8.5.16 are vulnerable to Stored XSS in the Custom Class page editing. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS versions 9 below 9.2.8 and versions below 8.5.16 are vulnerable to Cross-site Scripting (XSS) in the Advanced File Search Filter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.8 and previous versions prior to 8.5.16 is vulnerable to Stored XSS on the calendar color settings screen since Information input by the user is output without. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.7 is vulnerable to Stored XSS via the Name field of a Group type since there is insufficient validation of administrator provided data for that field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS v.9.2.1 allow an attacker to execute arbitrary code via a crafted script to the Header and Footer Tracking Codes of the SEO &. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross Site Scripting (XSS) vulnerability in Concrete CMS versions 8.5.12 and below, and 9.0 through 9.2.1 allows an attacker to execute arbitrary code via a crafted script to Plural Handle of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross Site Scripting (XSS) vulnerability in Concrete CMS before 9.2.3 exists via the Name parameter during installation (aka Site of Installation or Settings). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A Cross Site Scripting (XSS) vulnerability in Concrete CMS from versions 9.2.0 to 9.2.2 allows an attacker to execute arbitrary code via a crafted script to the Tags from Settings - Tags. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Multiple Cross Site Scripting (XSS) vulnerabilities in Concrete CMS versions affected to 8.5.13 and below, and 9.0.0 through 9.2.1 allow a local attacker to execute arbitrary code via a crafted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. Rated low severity (CVSS 3.3), this vulnerability is remotely exploitable. No vendor patch available.
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 inadvertently disclose server-side sensitive information (secrets in environment variables and server information) when. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 did not use strict comparison for the legacy_salt so that limited authentication bypass could occur if using this. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.