Filtered by vendor Concretecms
Subscriptions
Total
85 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-28473 | 1 Concretecms | 1 Concrete Cms | 2024-08-02 | 3.3 Low |
| Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section. | ||||
| CVE-2023-28474 | 1 Concretecms | 1 Concrete Cms | 2024-08-02 | 5.4 Medium |
| Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search. | ||||
| CVE-2023-28477 | 1 Concretecms | 1 Concrete Cms | 2024-08-02 | 5.5 Medium |
| Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. | ||||
| CVE-2024-1246 | 1 Concretecms | 1 Concrete Cms | 2024-08-01 | 2 Low |
| Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website user’s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9. | ||||
| CVE-2024-1247 | 1 Concretecms | 1 Concrete Cms | 2024-08-01 | 2 Low |
| Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability. | ||||