CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11476
https://notcve.org/view.php?id=CVE-2020-11476
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Concrete5 versiones anteriores a 8.5.3, permite una Carga Sin Restricciones de Archivos con Tipos Peligrosos, como un archivo .phar • https://github.com/concrete5/concrete5/pull/8713 https://github.com/concrete5/concrete5/releases/tag/8.5.3 https://herolab.usd.de/security-advisories https://herolab.usd.de/security-advisories/usd-2020-0041 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14961
https://notcve.org/view.php?id=CVE-2020-14961
Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value. Concrete5 versiones anteriores a 8.5.3, no restringe la dirección de clasificación a un valor asc o desc válido • https://github.com/concrete5/concrete5/pull/8651 https://github.com/concrete5/concrete5/releases/tag/8.5.3 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2CVE-2017-18195 – Concrete5 CMS < 8.3.0 - Username / Comments Enumeration
https://notcve.org/view.php?id=CVE-2017-18195
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers. Se ha descubierto un problema en tools/conversations/view_ajax.php en Concrete5, en versiones anteriores a la 8.3.0. Un usuario no autenticado puede enumerar comentarios de todos los posts de blog realizando peticiones POST a /index.php/tools/required/conversations/view_ajax con enteros "cnvID" incrementales. Concrete5 versions prior to 8.3.0 suffers from enumeration vulnerabilities. • https://www.exploit-db.com/exploits/44194 https://github.com/concrete5/concrete5/pull/6008/files https://github.com/concrete5/concrete5/releases/tag/8.3.0 https://github.com/r3naissance/NSE/blob/master/http-vuln-cve2017-18195.nse •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4724
https://notcve.org/view.php?id=CVE-2015-4724
SQL injection vulnerability in Concrete5 5.7.3.1. Existe una vulnerabilidad de inyección SQL en Concrete5 5.7.3.1. • http://hackerone.com/reports/59664 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2015-4721
https://notcve.org/view.php?id=CVE-2015-4721
Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1. Existen múltiples vulnerabilidades de tipo Cross-Site Scripting (XSS) en Concrete5 5.7.3.1. • http://hackerone.com/reports/59661 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •