Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Concrete_cms
(Concretecms)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 99 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-09-23 | CVE-2021-22949 | A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security CMS Research Team" | Concrete_cms | 5.4 | ||
| 2021-09-23 | CVE-2021-22950 | Concrete CMS prior to 8.5.6 had a CSFR vulnerability allowing attachments to comments in the conversation section to be deleted.Credit for discovery: "Solar Security Research Team" | Concrete_cms | 6.5 | ||
| 2021-09-23 | CVE-2021-22953 | A CSRF in Concrete CMS version 8.5.5 and below allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space.Credit for discovery: "Solar Security Research Team" | Concrete_cms | 5.4 | ||
| 2021-09-24 | CVE-2021-40099 | An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution. | Concrete_cms | 7.2 | ||
| 2021-09-24 | CVE-2021-40100 | An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text. | Concrete_cms | 5.4 | ||
| 2021-09-24 | CVE-2021-40102 | An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method). | Concrete_cms | 9.1 | ||
| 2021-09-27 | CVE-2021-40097 | An issue was discovered in Concrete CMS through 8.5.5. Authenticated path traversal leads to to remote code execution via uploaded PHP code, related to the bFilename parameter. | Concrete_cms | 8.8 | ||
| 2021-09-27 | CVE-2021-40098 | An issue was discovered in Concrete CMS through 8.5.5. Path Traversal leading to RCE via external form by adding a regular expression. | Concrete_cms | 9.8 | ||
| 2021-09-27 | CVE-2021-40103 | An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF. | Concrete_cms | 7.5 | ||
| 2021-09-27 | CVE-2021-40104 | An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass. | Concrete_cms | 7.5 |