Packagist (Composer) package
concrete5/concrete5
pkg:composer/concrete5/concrete5
Vulnerabilities (73)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30662 | — | <= 9.4.7 | — | Mar 24, 2026 | ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_co | ||
| CVE-2026-2994 | — | < 9.4.8 | 9.4.8 | Mar 4, 2026 | Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave | ||
| CVE-2026-3240 | — | < 9.4.8 | 9.4.8 | Mar 4, 2026 | In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector | ||
| CVE-2026-3241 | — | < 9.4.8 | 9.4.8 | Mar 4, 2026 | In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a | ||
| CVE-2026-3242 | — | < 9.4.8 | 9.4.8 | Mar 4, 2026 | In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3di | ||
| CVE-2026-3244 | — | < 9.4.8 | 9.4.8 | Mar 4, 2026 | In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScri | ||
| CVE-2026-3452 | — | < 9.4.8 | 9.4.8 | Mar 4, 2026 | Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are | ||
| CVE-2025-8571 | — | < 8.5.21 | 8.5.21 | Aug 5, 2025 | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and ( | ||
| CVE-2025-8573 | — | >= 9.0.0RC1, < 9.4.3 | 9.4.3 | Aug 5, 2025 | Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gav | ||
| CVE-2025-3153 | — | >= 9.0.0, < 9.4.0RC2 | 9.4.0RC2 | Apr 3, 2025 | Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site admin | ||
| CVE-2025-0660 | — | < 9.4.0RC1 | 9.4.0RC1 | Mar 10, 2025 | Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Sco | ||
| CVE-2024-7398 | — | >= 9.0.0, < 9.3.4 | 9.3.4 | Sep 24, 2024 | Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users | ||
| CVE-2024-8291 | — | >= 9.0.0, < 9.3.4 | 9.3.4 | Sep 24, 2024 | Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first | ||
| CVE-2024-8660 | — | >= 9.0.0, < 9.3.3 | 9.3.3 | Sep 17, 2024 | Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted use | ||
| CVE-2024-8661 | — | < 8.5.19 | 8.5.19 | Sep 16, 2024 | Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CV | ||
| CVE-2024-4350 | — | < 8.5.18 | 8.5.18 | Aug 9, 2024 | Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS se | ||
| CVE-2024-7512 | — | >= 9.0.0RC1, < 9.3.3 | 9.3.3 | Aug 9, 2024 | Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.6 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI: | ||
| CVE-2024-7394 | — | < 8.5.18 | 8.5.18 | Aug 8, 2024 | Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS: | ||
| CVE-2024-4353 | — | >= 9.0.0, <= 9.3.2 | — | Aug 1, 2024 | Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript | ||
| CVE-2024-3181 | — | >= 9.0.0RC1, < 9.2.8 | 9.2.8 | Apr 3, 2024 | Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. T |
- CVE-2026-30662Mar 24, 2026affected <= 9.4.7
ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_co
- CVE-2026-2994Mar 4, 2026affected < 9.4.8fixed 9.4.8
Concrete CMS below version 9.4.8 is subject to CSRF by a Rogue Administrator using the Anti-Spam Allowlist Group Configuration via group_id parameter which can leads to a security bypass since changes are saved prior to checking the CSRF token. The Concrete CMS security team gave
- CVE-2026-3240Mar 4, 2026affected < 9.4.8fixed 9.4.8
In Concrete CMS below version 9.4.8, a user with permission to edit a page with element Legacy form can perform a stored XSS attack towards high-privilege accounts via the Question field. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector
- CVE-2026-3241Mar 4, 2026affected < 9.4.8fixed 9.4.8
In Concrete CMS below version 9.4.8, a stored cross-site scripting (XSS) vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms (e.g., a rogue administrator) can inject a persistent JavaScript payload into the options of a
- CVE-2026-3242Mar 4, 2026affected < 9.4.8fixed 9.4.8
In Concrete CMS below version 9.4.8, a rogue administrator can add stored XSS via the Switch Language block. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks M3di
- CVE-2026-3244Mar 4, 2026affected < 9.4.8fixed 9.4.8
In Concrete CMS below version 9.4.8, A stored cross-site scripting (XSS) vulnerability exists in the search block where page names and content are rendered without proper HTML encoding in search results. This allows authenticated, rogue administrators to inject malicious JavaScri
- CVE-2026-3452Mar 4, 2026affected < 9.4.8fixed 9.4.8
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are
- CVE-2025-8571Aug 5, 2025affected < 8.5.21fixed 8.5.21
Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (
- CVE-2025-8573Aug 5, 2025affected >= 9.0.0RC1, < 9.4.3fixed 9.4.3
Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gav
- CVE-2025-3153Apr 3, 2025affected >= 9.0.0, < 9.4.0RC2fixed 9.4.0RC2
Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site admin
- CVE-2025-0660Mar 10, 2025affected < 9.4.0RC1fixed 9.4.0RC1
Concrete CMS versions 9.0.0 through 9.3.9 are affected by a stored XSS in Folder Function.The "Add Folder" functionality lacks input sanitization, allowing a rogue admin to inject XSS payloads as folder names. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Sco
- CVE-2024-7398Sep 24, 2024affected >= 9.0.0, < 9.3.4fixed 9.3.4
Concrete CMS versions 9 through 9.3.3 and versions below 8.5.19 are vulnerable to stored XSS in the calendar event addition feature because the calendar event name was not sanitized on output. Users or groups with permission to create event calendars can embed scripts, and users
- CVE-2024-8291Sep 24, 2024affected >= 9.0.0, < 9.3.4fixed 9.3.4
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in Image Editor Background Color. A rogue admin could add malicious code to the Thumbnails/Add-Type. The Concrete CMS Security Team gave this a CVSS v4 score of 5.1 with vector https://www.first
- CVE-2024-8660Sep 17, 2024affected >= 9.0.0, < 9.3.3fixed 9.3.3
Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted use
- CVE-2024-8661Sep 16, 2024affected < 8.5.19fixed 8.5.19
Concrete CMS versions 9.0.0 to 9.3.3 and below 8.5.19 are vulnerable to Stored XSS in the "Next&Previous Nav" block. A rogue administrator could add a malicious payload by executing it in the browsers of targeted users. The Concrete CMS Security Team gave this vulnerability a CV
- CVE-2024-4350Aug 9, 2024affected < 8.5.18fixed 8.5.18
Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS se
- CVE-2024-7512Aug 9, 2024affected >= 9.0.0RC1, < 9.3.3fixed 9.3.3
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.6 with vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:
- CVE-2024-7394Aug 8, 2024affected < 8.5.18fixed 8.5.18
Concrete CMS versions 9 through 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in getAttributeSetName(). A rogue administrator could inject malicious code. The Concrete CMS team gave this a CVSS v4.0 rank of 4.6 with vector https://www.first.org/cvss/calculator/4.0#CVSS:
- CVE-2024-4353Aug 1, 2024affected >= 9.0.0, <= 9.3.2
Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript
- CVE-2024-3181Apr 3, 2024affected >= 9.0.0RC1, < 9.2.8fixed 9.2.8
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. T
Page 1 of 4