📦 Concrete Cms

Concrete CMS versions before 8.5.13 and 9.x before 9.2.2 create directories with insecure default permissions (0777), allowing unauthorized access. This affects all installations using vulnerable vers...

This vulnerability in Concrete CMS allows authenticated high-privilege users to download zip files over unencrypted HTTP connections and execute code from those files, leading to remote code execution...

This vulnerability in Concrete CMS allows authenticated attackers to perform directory traversal via the file upload endpoint, potentially leading to arbitrary file deletion. It affects Concrete CMS v...

This vulnerability in Concrete CMS allows attackers to perform path traversal attacks through external forms, leading to remote code execution. It affects all Concrete CMS installations through versio...

This vulnerability allows authenticated users in Concrete CMS to change their own or potentially other users' passwords without providing the current password. This affects all Concrete CMS installati...

CVE-2021-22967 is an Insecure Direct Object Reference (IDOR) vulnerability in Concrete CMS that allows unauthenticated users to access restricted files if they have permission to add messages to conve...

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Concrete CMS that allows authenticated users to make requests to internal network resources. Attackers can read files from loca...

This CSRF vulnerability in Concrete CMS allows attackers to trick authenticated users into unknowingly adding malicious calendar events. Attackers can create fake events that could contain malicious l...

This CVE describes an SVG sanitizer bypass vulnerability in Concrete CMS that allows attackers to upload malicious SVG files containing JavaScript. This affects all Concrete CMS installations through ...

This vulnerability allows authenticated attackers in Concrete CMS to perform path traversal attacks, leading to remote code execution by uploading PHP files. It affects all Concrete CMS installations ...

This vulnerability allows attackers to inject malicious PHP objects into Concrete5 applications through deserialization of untrusted data. Attackers can exploit this to execute arbitrary PHP code on t...

Concrete CMS versions below 8.5.20 and 9 below 9.4.0RC2 are vulnerable to CSRF and XSS attacks in the Address attribute when a country is not specified. Attackers with address attribute editing permis...

Concrete CMS versions 9.0.0 through 9.3.9 contain a stored cross-site scripting (XSS) vulnerability in the 'Add Folder' functionality. A rogue administrator can inject malicious JavaScript as folder n...

This vulnerability allows a rogue administrator in Concrete CMS to inject malicious JavaScript code through the Image Editor Background Color feature, creating stored cross-site scripting (XSS) attack...

Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 contain a stored cross-site scripting (XSS) vulnerability in the calendar event addition feature. Users or groups with permission to cre...

Concrete CMS versions 9.0.0 through 9.3.3 have a stored cross-site scripting (XSS) vulnerability in the Top Navigator Bar block. A rogue administrator can inject malicious JavaScript that executes whe...

Concrete CMS versions 9 through 9.3.2 and below 8.5.18 contain a stored cross-site scripting (XSS) vulnerability in the getAttributeSetName() function. A rogue administrator can inject malicious JavaS...