CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2017-6905
https://notcve.org/view.php?id=CVE-2017-6905
An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability exists due to insufficient filtration of user-supplied data (disable_choose) passed to the "concrete5-legacy-master/web/concrete/tools/files/search_dialog.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. Se ha descubierto un problema en concrete5 <= 5.6.3.4. La vulnerabilidad existe debido a filtración insuficiente de datos suministrados por el usuario (disable_choose) pasados a la URL "concrete5-legacy-master/web/concrete/tools/files/search_dialog.php". • http://www.securityfocus.com/bid/96891 https://github.com/Mnkras/concrete5/commit/3eab581ab670982676e9dabddc9ad439391174ee https://github.com/concrete5/concrete5-legacy/commit/2b16399ce3e962a8c27fb3ec14bc8e855d65b63a https://github.com/concrete5/concrete5-legacy/issues/1947 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-6908
https://notcve.org/view.php?id=CVE-2017-6908
An issue was discovered in concrete5 <= 5.6.3.4. The vulnerability exists due to insufficient filtration of user-supplied data (fID) passed to the "concrete5-legacy-master/web/concrete/tools/files/selector_data.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. Se ha descubierto un problema en concrete5 <= 5.6.3.4. La vulnerabilidad existe debido a filtración insuficiente de datos suministrados por el usuario (fID) pasados a la URL "concrete5-legacy-master/web/concrete/tools/files/selector_data.php". • http://www.securityfocus.com/bid/96891 https://github.com/concrete5/concrete5-legacy/commit/62046f511fc02ad783ad170404c80db3c69f0408 https://github.com/concrete5/concrete5-legacy/issues/1948 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3989
https://notcve.org/view.php?id=CVE-2015-3989
Multiple cross-site scripting (XSS) vulnerabilities in concrete5 before 5.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to private messages or other unspecified vectors. Múltiples vulnerabilidades de XSS en concrete5 anterior a 5.7.4 permiten a atacantes remotos inyectaqr secuencias de comandos web arbitrarios o HTML a través de vectores relacionados con mensajes privados u otros vectores no especificados. • http://www.securityfocus.com/bid/74699 https://www.concrete5.org/documentation/developers/5.7/background/version-history/5-7-4-release-notes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 3CVE-2015-2250 – Concrete5 5.7.3.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2015-2250
Multiple cross-site scripting (XSS) vulnerabilities in concrete5 before 5.7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) banned_word[] parameter to index.php/dashboard/system/conversations/bannedwords/success, (2) channel parameter to index.php/dashboard/reports/logs/view, (3) accessType parameter to index.php/tools/required/permissions/access_entity, (4) msCountry parameter to index.php/dashboard/system/multilingual/setup/load_icon, arHandle parameter to (5) design/submit or (6) design in index.php/ccm/system/dialogs/area/design/submit, (7) pageURL to index.php/dashboard/pages/single, (8) SEARCH_INDEX_AREA_METHOD parameter to index.php/dashboard/system/seo/searchindex/updated, (9) unit parameter to index.php/dashboard/system/optimization/jobs/job_scheduled, (10) register_notification_email parameter to index.php/dashboard/system/registration/open/1, or (11) PATH_INFO to index.php/dashboard/extend/connect/. Múltiples vulnerabilidades de XSS en concrete5 anterior a 5.7.4 permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro banned_word[] en index.php/dashboard/system/conversations/bannedwords/success, (2) del parámetro channel en index.php/dashboard/reports/logs/view, (3) del parámetro accessType en index.php/tools/required/permissions/access_entity, (4) del parámetro msCountry en index.php/dashboard/system/multilingual/setup/load_icon, del parámetro arHandle en (5) design/submit o (6) design en index.php/ccm/system/dialogs/area/design/submit, (7) pageURL en index.php/dashboard/pages/single, (8) del parámetro SEARCH_INDEX_AREA_METHOD en index.php/dashboard/system/seo/searchindex/updated, (9) del parámetro unit en index.php/dashboard/system/optimization/jobs/job_scheduled, (10) del parámetro register_notification_email en index.php/dashboard/system/registration/open/1, o (11) PATH_INFO en index.php/dashboard/extend/connect/. Concrete5 version 5.7.3.1 suffers from multiple cross site scripting vulnerabilities. • http://packetstormsecurity.com/files/131882/Concrete5-5.7.3.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2015/May/51 http://www.securityfocus.com/archive/1/535531/100/0/threaded http://www.securityfocus.com/bid/74651 https://www.concrete5.org/documentation/developers/5.7/background/version-history/5-7-4-release-notes https://www.netsparker.com/cve-2015-2250-multiple-xss-vulnerabilities-identified-in-concrete5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 1%CPEs: 2EXPL: 3CVE-2014-9526
https://notcve.org/view.php?id=CVE-2014-9526
Multiple cross-site scripting (XSS) vulnerabilities in concrete5 5.7.2.1, 5.7.2, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) gName parameter in single_pages/dashboard/users/groups/bulkupdate.php or (2) instance_id parameter in tools/dashboard/sitemap_drag_request.php. Múltiples vulnerabilidades de XSS en concrete5 5.7.2.1, 5.7.2, y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través (1) del parámetro gName en single_pages/dashboard/users/groups/bulkupdate.php o (2) del parámetro instance_id en tools/dashboard/sitemap_drag_request.php. • http://morxploit.com/morxploits/morxconxss.txt http://packetstormsecurity.com/files/129446/Concrete5-CMS-5.7.2-5.7.2.1-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2014/Dec/38 http://www.securityfocus.com/archive/1/534189/100/0/threaded https://exchange.xforce.ibmcloud.com/vulnerabilities/99264 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •