Page 16 of 88 results (0.006 seconds)

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1

Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file. Concrete5 versiones anteriores a 8.5.3, permite una Carga Sin Restricciones de Archivos con Tipos Peligrosos, como un archivo .phar • https://github.com/concrete5/concrete5/pull/8713 https://github.com/concrete5/concrete5/releases/tag/8.5.3 https://herolab.usd.de/security-advisories https://herolab.usd.de/security-advisories/usd-2020-0041 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value. Concrete5 versiones anteriores a 8.5.3, no restringe la dirección de clasificación a un valor asc o desc válido • https://github.com/concrete5/concrete5/pull/8651 https://github.com/concrete5/concrete5/releases/tag/8.5.3 •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier. Se presenta una vulnerabilidad de tipo Cross-Site Scripting (XSS) en el parámetro rcID en Concrete CMS versión 5.4.1.1 y anteriores. • https://www.openwall.com/lists/oss-security/2011/08/22/11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files that may contain HTML data with a SCRIPT element. Concrete5 versión 8.4.3, presenta una vulnerabilidad de tipo XSS porque el archivo config/concrete.php permite la carga (por administradores) de archivos SVG que pueden contener datos HTML con un elemento SCRIPT. • https://hackerone.com/concrete5?view_policy=true https://hackerone.com/reports/437863 https://www.concrete5.org https://www.w3.org/TR/SVG2/intro.html#W3CCompatibility • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1

A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page. Una vulnerabilidad de Server-Side Request Forgery (SSRF) en tools/files/importers/remote.php en concrete5 8.2.0 puede dar lugar a ataques en la red local, así como al mapeo de redes internas debido a la funcionalidad URL en la página File Manager. • https://hackerone.com/reports/243865 • CWE-918: Server-Side Request Forgery (SSRF) •