Skip to main content

Concrete Cms

134 CVEs product

Monthly

CVE-2022-43694 PHP MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Concrete Cms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-43692 PHP MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Concrete Cms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2022-43693 PHP HIGH PATCH This Week

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Concrete Cms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2022-30120 PHP MEDIUM PATCH This Month

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-30119 MEDIUM This Month

XSS in /dashboard/reports/logs/view - old browsers only. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-30118 MEDIUM This Month

Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2022-30117 PHP CRITICAL PATCH Act Now

Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Path Traversal Concrete Cms
NVD
CVSS 3.1
9.1
EPSS
2.0%
CVE-2022-21829 PHP CRITICAL PATCH Act Now

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Concrete Cms
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2021-40101 HIGH This Week

An issue was discovered in Concrete CMS before 8.5.7. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Concrete Cms
NVD
CVSS 3.1
7.2
EPSS
2.6%
CVE-2021-22970 PHP HIGH PATCH This Week

Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Concrete Cms
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-22969 PHP MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Concrete Cms
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2021-22968 PHP HIGH POC PATCH This Week

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

LFI RCE PHP File Upload Concrete Cms
NVD
CVSS 3.1
7.2
EPSS
3.1%
CVE-2021-22967 PHP HIGH PATCH This Week

In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Concrete Cms
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-22966 PHP HIGH PATCH This Week

Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Authentication Bypass Concrete Cms
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2021-22951 PHP HIGH PATCH This Week

Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Concrete Cms
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-22958 PHP CRITICAL PATCH Act Now

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Concrete Cms
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2021-40109 MEDIUM This Month

A SSRF issue was discovered in Concrete CMS through 8.5.5. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Concrete Cms
NVD
CVSS 3.1
6.4
EPSS
0.5%
CVE-2021-40108 HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Concrete Cms
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2021-40106 MEDIUM This Month

An issue was discovered in Concrete CMS through 8.5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-40105 MEDIUM This Month

An issue was discovered in Concrete CMS through 8.5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-40104 HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Concrete Cms
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-40103 HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal SSRF Concrete Cms
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-40098 CRITICAL Act Now

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Concrete Cms
NVD
CVSS 3.1
9.8
EPSS
1.6%
CVE-2021-40097 HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP RCE Path Traversal Concrete Cms
NVD
CVSS 3.1
8.8
EPSS
2.4%
CVE-2021-40102 CRITICAL Act Now

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP Concrete Cms
NVD
CVSS 3.1
9.1
EPSS
1.3%
CVE-2021-40100 MEDIUM This Month

An issue was discovered in Concrete CMS through 8.5.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-40099 HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Concrete Cms
NVD
CVSS 3.1
7.2
EPSS
2.0%
CVE-2021-22953 MEDIUM This Month

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team". Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Concrete Cms
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2021-22950 MEDIUM This Month

Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team". Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Concrete Cms
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2021-22949 MEDIUM This Month

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Concrete Cms
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2021-36766 HIGH POC This Week

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Concrete Cms
NVD
CVSS 3.1
7.2
EPSS
3.7%
CVE-2021-28145 PHP MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2021-3111 MEDIUM POC This Month

The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Concrete Cms
NVD GitHub Exploit-DB
CVSS 3.1
4.8
EPSS
3.0%
CVE-2020-24986 HIGH POC This Week

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Concrete Cms
NVD
CVSS 3.1
7.2
EPSS
2.0%
CVE-2020-11476 PHP HIGH POC PATCH This Week

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload Concrete Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
2.9%
CVE-2020-14961 PHP MEDIUM PATCH This Month

Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Concrete Cms
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2018-13790 HIGH POC This Week

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Concrete Cms
NVD
CVSS 3.1
7.2
EPSS
1.0%
CVE-2015-4724 HIGH This Week

SQL injection vulnerability in Concrete5 5.7.3.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Concrete Cms
NVD
CVSS 3.0
8.8
EPSS
0.2%
CVE-2015-4721 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-8082 MEDIUM POC This Month

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service CSRF Concrete Cms
NVD
CVSS 3.0
6.5
EPSS
0.5%
CVE-2017-7725 PHP MEDIUM POC This Month

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options". Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Canonical Concrete Cms
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
3.6%
CVE-2014-9526 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS PHP Concrete5 Concrete Cms
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2014-5108 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Concrete5 Concrete Cms
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2014-5107 MEDIUM This Month

concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3). Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure Concrete5 Concrete Cms
NVD
CVSS 2.0
5.0
EPSS
1.3%
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Concrete Cms
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Concrete Cms
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF Concrete Cms
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

XSS in /dashboard/reports/logs/view - old browsers only. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
EPSS 2% CVSS 9.1
CRITICAL PATCH Act Now

Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Path Traversal Concrete Cms
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Concrete Cms
NVD
EPSS 3% CVSS 7.2
HIGH This Week

An issue was discovered in Concrete CMS before 8.5.7. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Concrete Cms
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Concrete Cms
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Concrete Cms
NVD
EPSS 3% CVSS 7.2
HIGH POC PATCH This Week

A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

LFI RCE PHP +2
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Concrete Cms
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Authentication Bypass Concrete Cms
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Concrete Cms
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Concrete Cms
NVD
EPSS 1% CVSS 6.4
MEDIUM This Month

A SSRF issue was discovered in Concrete CMS through 8.5.5. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SSRF Concrete Cms
NVD
EPSS 0% CVSS 8.8
HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Concrete Cms
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

An issue was discovered in Concrete CMS through 8.5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

An issue was discovered in Concrete CMS through 8.5.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Concrete Cms
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal SSRF Concrete Cms
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Concrete Cms
NVD
EPSS 2% CVSS 8.8
HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP RCE Path Traversal +1
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

An issue was discovered in Concrete CMS through 8.5.5. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization PHP Concrete Cms
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

An issue was discovered in Concrete CMS through 8.5.5. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
EPSS 2% CVSS 7.2
HIGH This Week

An issue was discovered in Concrete CMS through 8.5.5. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Concrete Cms
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team". Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team". Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Concrete Cms
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Concrete Cms
NVD
EPSS 4% CVSS 7.2
HIGH POC This Week

Concrete5 through 8.5.5 deserializes Untrusted Data. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization PHP Concrete Cms
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
EPSS 3% CVSS 4.8
MEDIUM POC This Month

The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Concrete Cms
NVD GitHub Exploit-DB
EPSS 2% CVSS 7.2
HIGH POC This Week

Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload PHP Concrete Cms
NVD
EPSS 3% CVSS 7.2
HIGH POC PATCH This Week

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

File Upload Concrete Cms
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Concrete Cms
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC This Week

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF PHP Concrete Cms
NVD
EPSS 0% CVSS 8.8
HIGH This Week

SQL injection vulnerability in Concrete5 5.7.3.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Concrete Cms
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Concrete Cms
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service CSRF Concrete Cms
NVD
EPSS 4% CVSS 6.1
MEDIUM POC This Month

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "canonical" URL on installation of concrete5 using the "Advanced Options". Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Canonical Concrete Cms
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS PHP Concrete5 +1
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Concrete5 +1
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3). Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP Information Disclosure Concrete5 +1
NVD
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy