concrete5/concrete5 Security Advisories for 8.5.12 (29)
-
[LOW] Concrete CMS Stored XSS in the Search Field
PKSA-n81q-nvhs-j5xh CVE-2024-3181 GHSA-qgm9-rxmq-jxmq
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Stored XSS in blocks of type file
PKSA-jkfn-dm68-h74g CVE-2024-3180 GHSA-9qhc-pg6j-wf23
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Stored XSS in the Custom Class page editing
PKSA-9d3h-dqyn-p3hg CVE-2024-3179 GHSA-r7q4-cw9r-vhp4
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Cross-site Scripting (XSS) in the Advanced File Search Filter
PKSA-7yvb-1h2z-t44j CVE-2024-3178 GHSA-xwrh-qxmc-x8c8
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Stored XSS on the calendar color settings screen
PKSA-637y-63mx-s8kt CVE-2024-2753 GHSA-pj42-r64f-4xfq
Affected version: <8.5.16|>=9.0.0RC1,<9.2.8
Reported by:
GitHub -
[LOW] Concrete CMS Stored Cross-site Scripting vulnerability
PKSA-xz8s-kt9m-78kn CVE-2024-2179 GHSA-4m7h-34xm-4wjv
Affected version: <9.2.7
Reported by:
GitHub -
[MEDIUM] Concrete CMS Stored XSS in Layout Preset Name
PKSA-ph3z-1rkb-jkr2 CVE-2023-48650 GHSA-x577-gcc9-9xjj
Affected version: >=9.0.0,<9.2.3|<8.5.14
Reported by:
GitHub -
[MEDIUM] Concrete CMS Cross Site Request Forgery (CSRF) vulnerability
PKSA-qdvs-5x9y-sbsd CVE-2023-48653 GHSA-3rxx-8f33-7p6p
Affected version: >=9.0.0,<9.2.3|<8.5.14
Reported by:
GitHub -
[MEDIUM] Concrete CMS Cross Site Request Forgery (CSRF)
PKSA-cqc1-1kdn-st4p CVE-2023-48652 GHSA-qp42-5pj7-4ccm
Affected version: <9.2.3
Reported by:
GitHub -
[LOW] Concrete CMS Cross-site Scripting vulnerability
PKSA-62k8-1sbp-2zs5 CVE-2023-48649 GHSA-36fr-3wg8-q5v8
Affected version: >=9.0.0,<9.2.2|<8.5.13
Reported by:
GitHub -
[MEDIUM] Concrete CMS allows unauthorized access because directories can be created with insecure permissions
PKSA-dg8d-2ptg-hb9j CVE-2023-48648 GHSA-m87h-jxr6-f82w
Affected version: >=9.0.0,<9.2.2|<8.5.13
Reported by:
GitHub -
[MEDIUM] Concrete CMS Cross-site Scripting vulnerability
PKSA-pnzc-59z2-f5y3 CVE-2023-44760 GHSA-4qv6-37xq-mgq2
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS vulnerable to Stored Cross-site Scripting
PKSA-h43h-5y8z-wmzt CVE-2023-44763 GHSA-wrp2-6v6j-hfmg
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-xzkr-c5rd-bz1y CVE-2023-44766 GHSA-437p-jfm4-2387
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-g67y-rdnw-pmf6 CVE-2023-44765 GHSA-6xx7-r8x4-fpjp
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-ppc5-9x8h-722z CVE-2023-44764 GHSA-j6h5-ggv2-3rfv
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-4cr9-fm17-v4c8 CVE-2023-44762 GHSA-6fm3-r6mf-j875
Affected version: <=9.2.1
Reported by:
GitHub -
[MEDIUM] ConcreteCMS Cross-site Scripting vulnerability
PKSA-fmjx-j9wj-jxxq CVE-2023-44761 GHSA-p4jj-gwpg-9jwh
Affected version: <=9.2.1
Reported by:
GitHub -
[LOW] Concrete CMS (previously concrete5) is vulnerable to stored XSS in uploaded file and folder names
PKSA-yfdn-spkq-2jww CVE-2023-28819 GHSA-474f-mcjv-pgrm
Affected version: <9.1.0
Reported by:
GitHub -
[MEDIUM] Missing rate limit for password resets
PKSA-1mgj-tr57-r1f7 CVE-2023-28821 GHSA-ph6g-6v8w-8p6m
Affected version: <9.1.0
Reported by:
GitHub -
[LOW] Stored cross site scripting in RSS displayer
PKSA-fq2t-qgfc-g81r CVE-2023-28820 GHSA-fgxj-g7x3-85cq
Affected version: <9.1.0
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting on API integration
PKSA-1pbc-g2d5-65zk CVE-2023-28477 GHSA-xfmj-r86m-j2hr
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting on tags
PKSA-95sr-pv8t-5nw1 CVE-2023-28476 GHSA-2ggc-552c-rmqr
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Reflected cross site scripting
PKSA-8wxq-b9zg-qp74 CVE-2023-28475 GHSA-vcpr-hm2m-gjjj
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting on saved presets
PKSA-nktg-qth3-gfbd CVE-2023-28474 GHSA-2j26-j953-2rph
Affected version: <9.2.0
Reported by:
GitHub -
[CRITICAL] Concrete CMS (previously concrete5) is vulnerable to possible auth bypass in the jobs section
PKSA-mr3p-nks7-1tws CVE-2023-28473 GHSA-pj76-75cm-3552
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Concrete CMS missing secure cookie parameters
PKSA-wd8t-n9z8-rhbr CVE-2023-28472 GHSA-f55r-8rcv-mqcf
Affected version: <9.2.0
Reported by:
GitHub -
[MEDIUM] Stored cross site scripting via container name
PKSA-pt47-fxhg-84sd CVE-2023-28471 GHSA-9h33-5fxw-r2xv
Affected version: <9.2.0
Reported by:
GitHub -
[HIGH] Cross Site Request Forgery in concrete5/concrete5
PKSA-xh9p-14ms-v6qh CVE-2021-22954 GHSA-gr23-g276-xc73
Affected version: <9.0.0
Reported by:
GitHub