CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48652
https://notcve.org/view.php?id=CVE-2023-48652
Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated. Concrete CMS 9 anterior a 9.2.3 es vulnerable a Cross Site Request Forgery (CSRF) a través de /ccm/system/dialogs/logs/delete_all/submit. Un atacante puede obligar a un usuario administrador a eliminar los registros de informes del servidor en una aplicación web en la que está actualmente autenticado. • https://documentation.concretecms.org/developers/introduction/version-history/923-release-notes https://www.concretecms.org/about/project-news/security/2023-12-05-concrete-cms-new-cves-and-cve-updates • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48648
https://notcve.org/view.php?id=CVE-2023-48648
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows unauthorized access because directories can be created with insecure permissions. File creation functions (such as the Mkdir() function) gives universal access (0777) to created folders by default. Excessive permissions can be granted when creating a directory with permissions greater than 0755 or when the permissions argument is not specified. Concrete CMS anterior a 8.5.13 y 9.x anterior a 9.2.2 permite el acceso no autorizado porque se pueden crear directorios con permisos inseguros. Las funciones de creación de archivos (como la función Mkdir()) brindan acceso universal (0777) a las carpetas creadas de forma predeterminada. • https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release • CWE-276: Incorrect Default Permissions •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-48649
https://notcve.org/view.php?id=CVE-2023-48649
Concrete CMS before 8.5.13 and 9.x before 9.2.2 allows stored XSS on the Admin page via an uploaded file name. Concrete CMS anterior a 8.5.13 y 9.x anterior a 9.2.2 permite almacenar XSS en la página de Administración a través de un nombre de archivo cargado. • https://documentation.concretecms.org/developers/introduction/version-history/8513-release-notes https://documentation.concretecms.org/developers/introduction/version-history/922-release-notes https://github.com/concretecms/concretecms/pull/11695 https://github.com/concretecms/concretecms/pull/11739 https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28475
https://notcve.org/view.php?id=CVE-2023-28475
Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized. • https://concretecms.com https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28819
https://notcve.org/view.php?id=CVE-2023-28819
Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names. • https://github.com/concretecms/concretecms/releases https://www.concretecms.org/about/project-news/security/2023-11-09-security-blog-about-updated-cves-and-new-release https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2023-04-20 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •