VYPR
Unrated severityNVD Advisory· Published Jul 28, 2014· Updated Jun 17, 2026

CVE-2014-5108

CVE-2014-5108

Description

Cross-site scripting (XSS) vulnerability in single_pages\download_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file.

Affected products

16
  • Concrete5/Concrete516 versions
    cpe:2.3:a:concrete5:concrete5:5.5.0:*:*:*:*:*:*:*+ 15 more
    • cpe:2.3:a:concrete5:concrete5:5.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:concrete5:concrete5:5.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:concrete5:concrete5:5.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:concrete5:concrete5:5.5.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:concrete5:concrete5:5.6.0:*:*:*:*:*:*:*
    • cpe:2.3:a:concrete5:concrete5:5.6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:concrete5:concrete5:5.6.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:concretecms:concrete_cms:5.4.2:*:*:*:*:*:*:*
    • cpe:2.3:a:concretecms:concrete_cms:5.4.2.1:*:*:*:*:*:*:*
    • cpe:2.3:a:concretecms:concrete_cms:5.4.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:concretecms:concrete_cms:5.6.1:*:*:*:*:*:*:*
    • cpe:2.3:a:concretecms:concrete_cms:5.6.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:concretecms:concrete_cms:5.6.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:concretecms:concrete_cms:5.6.2:*:*:*:*:*:*:*
    • cpe:2.3:a:concretecms:concrete_cms:5.6.2.1:*:*:*:*:*:*:*
    • (no CPE)range: <5.6.3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.