Page 3 of 79 results (0.009 seconds)

CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified. Concrete CMS anterior a 8.5.13 y 9.x anterior a 9.2.2 permite el acceso no autorizado porque se pueden crear directorios con permisos inseguros. Las funciones de creación de archivos (como la función Mkdir()) brindan acceso universal (0777) a las carpetas creadas de forma predeterminada. • https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release • CWE-276: Incorrect Default Permissions •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. Concrete CMS anterior a 8.5.13 y 9.x anterior a 9.2.2 permite almacenar XSS en la página de Administración a través de un nombre de archivo cargado. • https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes https://github.com/concretecms/concretecms/pull/11695 https://github.com/concretecms/concretecms/pull/11739 https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files. • https://concretecms.com https://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter. • https://concretecms.com https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies. • https://concretecms.com https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20 •