Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Concrete_cms
(Concretecms)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 99 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-09-24 | CVE-2021-40102 | An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method). | Concrete_cms | 9.1 | ||
| 2021-09-27 | CVE-2021-40097 | An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter. | Concrete_cms | 8.8 | ||
| 2021-09-27 | CVE-2021-40098 | An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression. | Concrete_cms | 9.8 | ||
| 2021-09-27 | CVE-2021-40103 | An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF. | Concrete_cms | 7.5 | ||
| 2021-09-27 | CVE-2021-40104 | An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass. | Concrete_cms | 7.5 | ||
| 2021-09-27 | CVE-2021-40105 | An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments. | Concrete_cms | 6.1 | ||
| 2021-09-27 | CVE-2021-40106 | An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field. | Concrete_cms | 6.1 | ||
| 2021-09-27 | CVE-2021-40108 | An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint. | Concrete_cms | 8.8 | ||
| 2021-09-27 | CVE-2021-40109 | A SSRF issue was discovered in Concrete CMS through 8.5.5. Users can access forbidden files on their local network. A user with permissions to upload files from external sites can upload a URL that redirects to an internal resource of any file type. The redirect is followed and loads the contents of the file from the redirected-to server. Files of disallowed types can be uploaded. | Concrete_cms | 6.4 | ||
| 2021-10-07 | CVE-2021-22958 | A Server-Side Request Forgery vulnerability was found in concrete5 < 8.5.5 that allowed a decimal notation encoded IP address to bypass the limitations in place for localhost allowing interaction with local services. Impact can vary depending on services exposed.CVSSv2.0 AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N | Concrete_cms | 9.8 |