CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40108
https://notcve.org/view.php?id=CVE-2021-40108
An issue was discovered in Concrete CMS through 8.5.5. The Calendar is vulnerable to CSRF. ccm_token is not verified on the ccm/calendar/dialogs/event/add/save endpoint. Se ha detectado un problema en Concrete CMS versiones hasta 8.5.5. El Calendario es vulnerable a un ataque de tipo CSRF. La función ccm_token no se verifica en el endpoint ccm/calendar/dialogs/event/add/save • https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102018 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40106
https://notcve.org/view.php?id=CVE-2021-40106
An issue was discovered in Concrete CMS through 8.5.5. There is unauthenticated stored XSS in blog comments via the website field. Se ha detectado un problema en Concrete CMS versiones hasta 8.5.5. Se presenta una vulnerabilidad de tipo XSS almacenado no autenticado en los comentarios del blog por medio del campo website • https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102042 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40105
https://notcve.org/view.php?id=CVE-2021-40105
An issue was discovered in Concrete CMS through 8.5.5. There is XSS via Markdown Comments. Se ha detectado un problema en Concrete CMS versiones hasta 8.5.5. Se presenta una vulnerabilidad de tipo XSS por medio de Comentarios Markdown • https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102054 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40104
https://notcve.org/view.php?id=CVE-2021-40104
An issue was discovered in Concrete CMS through 8.5.5. There is an SVG sanitizer bypass. Se ha detectado un problema en Concrete CMS versiones hasta 8.5.5. Hay una omisión de SVG sanitizer • https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102088 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-40103
https://notcve.org/view.php?id=CVE-2021-40103
An issue was discovered in Concrete CMS through 8.5.5. Path Traversal can lead to Arbitrary File Reading and SSRF. Se ha detectado un problema en Concrete CMS versiones hasta 8.5.5. Un Salto de Ruta puede conllevar a una lectura de archivos arbitrarios y un ataque de tipo SSRF • https://documentation.concretecms.org/developers/introduction/version-history/856-release-notes https://hackerone.com/reports/1102211 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •