CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Concretecms » Concrete Cms » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2021-40109 918 2021-09-27 2021-09-30
5.5
None Remote Low ??? Partial Partial None
A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of the file from the redirected-to server. Files of disallowed types can be uploaded.
2 CVE-2021-40108 352 CSRF 2021-09-27 2021-09-30
6.8
None Remote Medium Not required Partial Partial Partial
An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint.
3 CVE-2021-40106 79 XSS 2021-09-27 2021-10-01
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field.
4 CVE-2021-40105 79 XSS 2021-09-27 2021-10-01
4.3
None Remote Medium Not required None Partial None
An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments.
5 CVE-2021-40104 863 Bypass 2021-09-27 2021-10-01
5.0
None Remote Low Not required None Partial None
An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass.
6 CVE-2021-40103 22 Dir. Trav. 2021-09-27 2021-10-01
5.0
None Remote Low Not required Partial None None
An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF.
7 CVE-2021-40102 502 2021-09-24 2021-09-30
6.4
None Remote Low Not required None Partial Partial
An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).
8 CVE-2021-40101 732 2021-11-30 2021-12-01
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password.
9 CVE-2021-40100 79 XSS 2021-09-24 2021-09-30
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text.
10 CVE-2021-40099 Exec Code 2021-09-24 2021-09-30
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.
11 CVE-2021-40098 22 Dir. Trav. 2021-09-27 2021-10-01
7.5
None Remote Low Not required Partial Partial Partial
An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression.
12 CVE-2021-40097 22 Exec Code Dir. Trav. 2021-09-27 2021-10-01
6.5
None Remote Low ??? Partial Partial Partial
An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter.
13 CVE-2021-36766 502 2021-07-30 2021-09-22
6.5
None Remote Low ??? Partial Partial Partial
Concrete5 through 8.5.5 deserializes Untrusted Data. The vulnerable code is located within the controllers/single_page/dashboard/system/environment/logging.php Logging::update_logging() method. User input passed through the logFile request parameter is not properly sanitized before being used in a call to the file_exists() PHP function. This can be exploited by malicious users to inject arbitrary PHP objects into the application scope (PHP Object Injection via phar:// stream wrapper), allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.
14 CVE-2021-28145 79 XSS 2021-03-18 2021-11-17
3.5
None Remote Medium ??? None Partial None
Concrete CMS (formerly concrete5) before 8.5.5 allows remote authenticated users to conduct XSS attacks via a crafted survey block. This requires at least Editor privileges.
15 CVE-2021-22970 918 Bypass 2021-11-19 2021-11-23
5.0
None Remote Low Not required Partial None None
Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SSRF Mitigation Bypass through DNS RebindingConcrete CMS security team gave this a CVSS score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:NConcrete CMS is maintaining Concrete version 8.5.x until 1 May 2022 for security fixes.This CVE is shared with HackerOne Reports https://hackerone.com/reports/1364797 and https://hackerone.com/reports/1360016Reporters: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and Bipul Jaiswal
16 CVE-2021-22969 918 Bypass 2021-11-19 2021-11-23
5.0
None Remote Low Not required Partial None None
Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated IP when downloading rather than relying on DNS.Discoverer: Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )The Concrete CMS team gave this a CVSS 3.1 score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N . Please note that Cloud IAAS provider mis-configurations are not Concrete CMS vulnerabilities. A mitigation for this vulnerability is to make sure that the IMDS configurations are according to a cloud provider's best practices.This fix is also in Concrete version 9.0.0
17 CVE-2021-22968 Exec Code Bypass 2021-11-19 2021-11-23
6.5
None Remote Low ??? Partial Partial Partial
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensions. They are stored in a directory with a random name, but it's possible to stall the uploads and brute force the directory name. You have to be an admin with the ability to upload files, but this bug gives you the ability to upload restricted file types and execute them depending on server configuration.To fix this, a check for allowed file extensions was added before downloading files to a tmp directory.Concrete CMS Security Team gave this a CVSS v3.1 score of 5.4 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:NThis fix is also in Concrete version 9.0.0
18 CVE-2021-22967 639 2021-11-19 2021-11-23
5.0
None Remote Low Not required Partial None None
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message in "add / edit messageā€.Concrete CMS security team gave this a CVSS v3.1 score of 4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NCredit for discovery Adrian H
19 CVE-2021-22966 269 2021-11-19 2021-11-23
6.5
None Remote Low ??? Partial Partial Partial
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check for group permissions before allowing a group to be moved. Concrete CMS Security team CVSS scoring: 7.1 AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:HCredit for discovery: "Adrian Tiron from FORTBRIDGE ( https://www.fortbridge.co.uk/ )"This fix is also in Concrete version 9.0.0
20 CVE-2021-22958 918 Bypass 2021-10-07 2021-11-01
7.5
None Remote Low Not required Partial Partial Partial
A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.CVSSv2.0 AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
21 CVE-2021-22953 352 CSRF 2021-09-23 2021-10-19
5.8
None Remote Medium Not required None Partial Partial
A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team"
22 CVE-2021-22951 639 2021-11-19 2021-11-23
5.0
None Remote Low Not required Partial None None
Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the following mitigations were put in place a. restricting file types for view_inline to images only b. putting a warning in the file manager to advise users.Credit for discovery: "Solar Security Research Team"Concrete CMS security team CVSS scoring is 5.3: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NThis fix is also in Concrete version 9.0.0
23 CVE-2021-22950 352 2021-09-23 2021-09-30
4.3
None Remote Medium Not required None Partial None
Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team"
24 CVE-2021-22949 352 CSRF 2021-09-23 2021-10-19
5.8
None Remote Medium Not required None Partial Partial
A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team"
25 CVE-2021-3111 79 XSS 2021-01-08 2021-07-22
3.5
None Remote Medium ??? None Partial None
The Express Entries Dashboard in Concrete5 8.5.4 allows stored XSS via the name field of a new data object at an index.php/dashboard/express/entries/view/ URI.
26 CVE-2020-24986 434 Exec Code 2020-09-04 2021-11-01
9.0
None Remote Low ??? Complete Complete Complete
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.
27 CVE-2020-14961 2020-06-22 2021-11-01
5.0
None Remote Low Not required None Partial None
Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value.
28 CVE-2020-11476 434 2020-07-28 2021-11-01
9.0
None Remote Low ??? Complete Complete Complete
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.
29 CVE-2017-18195 2018-02-26 2021-11-01
5.0
None Remote Low Not required Partial None None
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers.
30 CVE-2011-3183 79 XSS 2020-01-14 2021-07-15
4.3
None Remote Medium Not required None Partial None
A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.
Total number of vulnerabilities : 30   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.