concrete5/concrete5 Security Advisories for 9.0.2 (57)
-
[MEDIUM] Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)
PKSA-jtjf-xd7f-qq44 CVE-2025-3153 GHSA-cmm4-p9v2-q453
Affected version: <8.5.20|>=9.0.0,<9.4.0RC2
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-Site Scripting (XSS) via HTML Block Text Field
PKSA-wppm-g9w6-5t8w CVE-2025-2967 GHSA-xfqf-5rhg-5c73
Affected version: <=9.3.9
Reported by:
GitHub -
[MEDIUM] Concrete CMS affected by a stored XSS in Folder Function.The "Add Folder" functionality
PKSA-7rbh-qkpf-p5vz CVE-2025-0660 GHSA-pvmx-mjmh-jfcx
Affected version: <9.4.0RC1
Reported by:
GitHub -
[MEDIUM] Cross site scripting in Concrete CMS
PKSA-fckc-p3cm-dkks CVE-2024-8291 GHSA-q7qr-22qw-pqgx
Affected version: <8.5.19|>=9.0.0,<9.3.4
Reported by:
GitHub -
[MEDIUM] Cross site scripting in Concrete CMS
PKSA-dd65-y4fx-94zs CVE-2024-7398 GHSA-x8h2-255q-jg4x
Affected version: <8.5.19|>=9.0.0,<9.3.4
Reported by:
GitHub -
[MEDIUM] Concrete CMS stored XSS vulnerability in the "Top Navigator Bar" block
PKSA-69js-g4kz-mxqx CVE-2024-8660 GHSA-998c-q8hh-h8gv
Affected version: >=9.0.0,<9.3.3
Reported by:
GitHub -
[MEDIUM] Concrete CMS Stored XSS in the "Next&Previous Nav" block
PKSA-nwnp-29jm-dnjm CVE-2024-8661 GHSA-xmxj-v2q8-8qx6
Affected version: >=9.0.0,<9.3.4|<8.5.19
Reported by:
GitHub -
[LOW] Concrete CMS vulnerable to Stored Cross-site Scripting
PKSA-11gg-978n-ccy8 CVE-2024-7512 GHSA-c47w-9mcf-w972
Affected version: >=9.0.0RC1,<9.3.3
Reported by:
GitHub -
[MEDIUM] Concrete CMS Stored Cross-site Scripting vulnerability
PKSA-t8dh-g3jy-xp44 CVE-2024-4350 GHSA-q5wx-m95r-4cgc
Affected version: >=9.0.0RC1,<9.3.3|<8.5.18
Reported by:
GitHub -
[MEDIUM] Concrete CMS Stored XSS in getAttributeSetName
PKSA-wgx3-m6ch-tdkj CVE-2024-7394 GHSA-w6j6-w6jx-vf2r
Affected version: >=9.0.0,<9.3.3|<8.5.18
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Stored Cross-site Scripting
PKSA-qdwk-mh2v-7h2p CVE-2024-4353 GHSA-3cpf-jmmc-8jm3
Affected version: >=9.0.0,<=9.3.2
Reported by:
GitHub -
[LOW] Concrete CMS Stored XSS on the calendar color settings screen
PKSA-637y-63mx-s8kt CVE-2024-2753 GHSA-pj42-r64f-4xfq
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Cross-site Scripting (XSS) in the Advanced File Search Filter
PKSA-7yvb-1h2z-t44j CVE-2024-3178 GHSA-xwrh-qxmc-x8c8
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Stored XSS in the Custom Class page editing
PKSA-9d3h-dqyn-p3hg CVE-2024-3179 GHSA-r7q4-cw9r-vhp4
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Stored XSS in the Search Field
PKSA-n81q-nvhs-j5xh CVE-2024-3181 GHSA-qgm9-rxmq-jxmq
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Stored XSS in blocks of type file
PKSA-jkfn-dm68-h74g CVE-2024-3180 GHSA-9qhc-pg6j-wf23
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Stored Cross-site Scripting vulnerability
PKSA-xz8s-kt9m-78kn CVE-2024-2179 GHSA-4m7h-34xm-4wjv
Affected version: <9.2.7
Reported by:
GitHub -
[MEDIUM] Concrete CMS Stored XSS in Layout Preset Name
PKSA-ph3z-1rkb-jkr2 CVE-2023-48650 GHSA-x577-gcc9-9xjj
Affected version: >=9.0.0,<9.2.3|<8.5.14
Reported by:
GitHub -
[LOW] Concrete CMS Stored XSS
PKSA-hcpk-wmjc-z55m CVE-2023-49337 GHSA-9xxv-q6pp-96wq
Affected version: >=9.0.0,<9.2.3
Reported by:
GitHub -
[MEDIUM] Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
PKSA-qdvs-5x9y-sbsd CVE-2023-48653 GHSA-3rxx-8f33-7p6p
Affected version: >=9.0.0,<9.2.3|<8.5.14
Reported by:
GitHub -
[MEDIUM] Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
PKSA-mzrf-7ycs-nx52 CVE-2023-48651 GHSA-45m2-8q7f-93wv
Affected version: >=9.0.0,<9.2.3
Reported by:
GitHub -
[LOW] Concrete CMS vulnerable to stored XSS via the Role Name field
PKSA-q44b-j422-8pc9 CVE-2024-1247 GHSA-q25h-jch8-gfrp
Affected version: >=9.0.0RC1,<9.2.5
Reported by:
GitHub -
[LOW] Concrete CMS vulnerable to reflected XSS via the Image URL Import Feature
PKSA-mg7v-tf5z-216y CVE-2024-1246 GHSA-9v3w-cj7m-qh5g
Affected version: >=9.0.0RC1,<9.2.5
Reported by:
GitHub -
[LOW] Concrete CMS vulnerable to stored XSS in file tags and description attributes
PKSA-k3fw-5172-87s2 CVE-2024-1245 GHSA-mgp6-j658-vcw9
Affected version: >=9.0.0RC1,<9.2.5
Reported by:
GitHub -
[MEDIUM] Concrete CMS Cross Site Request Forgery (CSRF)
PKSA-cqc1-1kdn-st4p CVE-2023-48652 GHSA-qp42-5pj7-4ccm
Affected version: <9.2.3
Reported by:
GitHub -
[LOW] Concrete CMS Cross-site Scripting vulnerability
PKSA-62k8-1sbp-2zs5 CVE-2023-48649 GHSA-36fr-3wg8-q5v8
Affected version: >=9.0.0,<9.2.2|<8.5.13
Reported by:
GitHub -
[MEDIUM] Concrete CMS allows unauthorized access because directories can be created with insecure permissions
PKSA-dg8d-2ptg-hb9j CVE-2023-48648 GHSA-m87h-jxr6-f82w
Affected version: >=9.0.0,<9.2.2|<8.5.13
Reported by:
GitHub -
[MEDIUM] Concrete CMS Cross-site Scripting vulnerability
PKSA-pnzc-59z2-f5y3 CVE-2023-44760 GHSA-4qv6-37xq-mgq2
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS vulnerable to Stored Cross-site Scripting
PKSA-h43h-5y8z-wmzt CVE-2023-44763 GHSA-wrp2-6v6j-hfmg
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-xzkr-c5rd-bz1y CVE-2023-44766 GHSA-437p-jfm4-2387
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-fmjx-j9wj-jxxq CVE-2023-44761 GHSA-p4jj-gwpg-9jwh
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-g67y-rdnw-pmf6 CVE-2023-44765 GHSA-6xx7-r8x4-fpjp
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-ppc5-9x8h-722z CVE-2023-44764 GHSA-j6h5-ggv2-3rfv
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-4cr9-fm17-v4c8 CVE-2023-44762 GHSA-6fm3-r6mf-j875
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] Concrete CMS Cross-site Scripting vulnerability
PKSA-8tc8-hr2t-r9td CVE-2022-43695 GHSA-8699-h45g-7hm8
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Missing rate limit for password resets
PKSA-1mgj-tr57-r1f7 CVE-2023-28821 GHSA-ph6g-6v8w-8p6m
Affected version: <9.1.0
Reported by:
GitHub -
[LOW] Stored cross site scripting in RSS displayer
PKSA-fq2t-qgfc-g81r CVE-2023-28820 GHSA-fgxj-g7x3-85cq
Affected version: <9.1.0
Reported by:
GitHub -
[LOW] Concrete CMS (previously concrete5) is vulnerable to stored XSS in uploaded file and folder names
PKSA-yfdn-spkq-2jww CVE-2023-28819 GHSA-474f-mcjv-pgrm
Affected version: <9.1.0
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting on API integration
PKSA-1pbc-g2d5-65zk CVE-2023-28477 GHSA-xfmj-r86m-j2hr
Affected version: <9.2.0
Reported by:
GitHub -
[CRITICAL] Concrete CMS (previously concrete5) is vulnerable to possible auth bypass in the jobs section
PKSA-mr3p-nks7-1tws CVE-2023-28473 GHSA-pj76-75cm-3552
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting via container name
PKSA-pt47-fxhg-84sd CVE-2023-28471 GHSA-9h33-5fxw-r2xv
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Concrete CMS missing secure cookie parameters
PKSA-wd8t-n9z8-rhbr CVE-2023-28472 GHSA-f55r-8rcv-mqcf
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting on saved presets
PKSA-nktg-qth3-gfbd CVE-2023-28474 GHSA-2j26-j953-2rph
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Reflected cross site scripting
PKSA-8wxq-b9zg-qp74 CVE-2023-28475 GHSA-vcpr-hm2m-gjjj
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting on tags
PKSA-95sr-pv8t-5nw1 CVE-2023-28476 GHSA-2ggc-552c-rmqr
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to cross-site scripting in the text input field
PKSA-qzbz-hgdg-z5xv CVE-2022-43556 GHSA-xj33-8r43-r227
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Reflected Cross-site Scripting via image manipulation library
PKSA-87pj-7s23-xmy4 CVE-2022-43694 GHSA-jfmc-3975-fv5f
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Reflected Cross-site Scripting
PKSA-tddt-38zp-jdz1 CVE-2022-43692 GHSA-rg6w-c352-p8pg
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Cross-site Scripting via multilingual report
PKSA-77jc-61q9-bjp6 CVE-2022-43967 GHSA-vq39-q549-g786
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Uncontrolled Resource Consumption leading to DoS
PKSA-858q-7654-kzn8 CVE-2022-43686 GHSA-3cxx-3f53-m92c
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Session Fixation
PKSA-6whh-xycm-8tys CVE-2022-43687 GHSA-m53v-5x5x-5m2p
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Cross-site Scripting
PKSA-qmx5-45c3-cqz1 CVE-2022-43688 GHSA-9jc5-9wh5-mc36
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Cleartext Transmission of Sensitive Information
PKSA-rpbt-n98y-p3vv CVE-2022-43691 GHSA-q3hq-hm5h-qrx3
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Reflected Cross-Site Scripting via dashboard icons
PKSA-dbw1-h9nz-f1xn CVE-2022-43968 GHSA-8782-xgh5-r7mv
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to Improper Authentication
PKSA-6r6t-xj34-zx7v CVE-2022-43690 GHSA-q56r-mw39-944g
Affected version: >=9.0.0,<9.1.3|<8.5.10
Reported by:
GitHub -
[MEDIUM] Concrete CMS vulnerable to XML External Entity
PKSA-ggmy-dxdz-ghnm CVE-2022-43689 GHSA-q48r-xg9h-78m8
Affected version: >=9.0.0,<9.1.2|<8.5.10
Reported by:
GitHub -
[HIGH] Concrete CMS vulnerable to Cross-site Request Forgery
PKSA-2m1g-rdf8-db8s CVE-2022-43693 GHSA-w8fp-3gwq-gxpw
Affected version: >=9.0.0RC1,<9.1.3|<8.5.10
Reported by:
GitHub