Packagist (Composer) package
concrete5/core
pkg:composer/concrete5/core
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-30120 | — | >= 9.0.0, < 9.1.0 | 9.1.0 | Jun 24, 2022 | XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allo | ||
| CVE-2022-21829 | — | >= 9.0.0, < 9.1.0 | 9.1.0 | Jun 24, 2022 | Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request | ||
| CVE-2022-30117 | — | >= 9.0.0, < 9.1.0 | 9.1.0 | Jun 24, 2022 | Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow travers | ||
| CVE-2021-22968 | 5.4 | < 8.5.7 | 8.5.7 | Nov 19, 2021 | A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensio | ||
| CVE-2021-22967 | 4.3 | < 8.5.7 | 8.5.7 | Nov 19, 2021 | In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message i | ||
| CVE-2021-22951 | — | < 8.5.7 | 8.5.7 | Nov 19, 2021 | Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the f | ||
| CVE-2021-22966 | — | < 8.5.7 | 8.5.7 | Nov 19, 2021 | Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check | ||
| CVE-2021-22970 | — | < 8.5.7 | 8.5.7 | Nov 19, 2021 | Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local n | ||
| CVE-2021-22969 | 3.5 | < 8.5.7 | 8.5.7 | Nov 19, 2021 | Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated |
- CVE-2022-30120Jun 24, 2022affected >= 9.0.0, < 9.1.0fixed 9.1.0
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allo
- CVE-2022-21829Jun 24, 2022affected >= 9.0.0, < 9.1.0fixed 9.1.0
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request
- CVE-2022-30117Jun 24, 2022affected >= 9.0.0, < 9.1.0fixed 9.1.0
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow travers
- CVE-2021-22968Nov 19, 2021affected < 8.5.7fixed 8.5.7
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory even if they have disallowed file extensio
- CVE-2021-22967Nov 19, 2021affected < 8.5.7fixed 8.5.7
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files before attaching the files to a message i
- CVE-2021-22951Nov 19, 2021affected < 8.5.7fixed 8.5.7
Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file is not rendered.For version 8.5.6, the f
- CVE-2021-22966Nov 19, 2021affected < 8.5.7fixed 8.5.7
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specially crafted curl. Fixed by adding a check
- CVE-2021-22970Nov 19, 2021affected < 8.5.7fixed 8.5.7
Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local n
- CVE-2021-22969Nov 19, 2021affected < 8.5.7fixed 8.5.7
Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the local network and specifies the validated