CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22954
https://notcve.org/view.php?id=CVE-2021-22954
A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. Se presenta una vulnerabilidad de tipo cross-site request forgery en Concrete CMS versiones anteriores a v9, que podría permitir a un atacante realizar peticiones en nombre de otros usuarios • https://documentation.concretecms.org/developers/introduction/version-history/90-release-notes • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-22970
https://notcve.org/view.php?id=CVE-2021-22970
Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can pivot in the private LAN and exploit local network appsandb. SSRF Mitigation Bypass through DNS RebindingConcrete CMS security team gave this a CVSS score of 3.5 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:NConcrete CMS is maintaining Concrete version 8.5.x until 1 May 2022 for security fixes.This CVE is shared with HackerOne Reports https://hackerone.com/reports/1364797 and https://hackerone.com/reports/1360016Reporters: Adrian Tiron from FORTBRIDGE (https://www.fortbridge.co.uk/ ) and Bipul Jaiswal Concrete CMS (antes concrete5) versiones 8.5.6 y anteriores versión 9.0.0, permiten una importación de IP locales causando que el sistema sea vulnerable a unos ataques de tipo SSRF en los servidores de la LAN privada mediante una lectura de archivos de la LAN local. Un atacante puede pivotar en la LAN privada y explotar la red local appsandb. • https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes https://documentation.concretecms.org/developers/introduction/version-history/901-release-notes https://hackerone.com/reports/1364797 • CWE-918: Server-Side Request Forgery (SSRF) •