CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43968
https://notcve.org/view.php?id=CVE-2022-43968
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a XSS reflejado en los íconos del tablero debido a resultados no sanitizados. Se corrige actualizando a Concrete CMS 9.1.3+ o 8.5.10+. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43695
https://notcve.org/view.php?id=CVE-2022-43695
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a los Cross-Site Scripting (XSS) en dashboard/system/express/entities/associations porque Concrete CMS permite la asociación con un nombre de entidad que no existe o, si existe, contiene XSS ya que no fue sanitizado adecuadamente. Se corrige actualizando a Concrete CMS 9.1.3+ o 8.5.10+. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43686
https://notcve.org/view.php?id=CVE-2022-43686
In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load). En Concrete CMS (formerly concrete5) versiones anteriores a 8.5.10 y entre 9.0.0 y 9.1.2, la tabla authTypeConcreteCookieMap se puede llenar provocando una denegación de servicio (high load). • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30118
https://notcve.org/view.php?id=CVE-2022-30118
Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting. Título del CVE: Una vulnerabilidad de tipo XSS en /dashboard/system/express/entities/forms/save_control/[GUID]: sólo para navegadores antiguos. • https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes https://hackerone.com/reports/1370054 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30120
https://notcve.org/view.php?id=CVE-2022-30120
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. • https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes https://hackerone.com/reports/1363598 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •