CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21829
https://notcve.org/view.php?id=CVE-2022-21829
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete now only makes requests over https even a request comes in via http. Concrete CMS security team ranked this 8 with CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H Credit goes to Anna for reporting HackerOne 1482520. Concrete CMS versiones 9.0.0 a 9.0.2 y 8.5.7, pueden descargar archivos zip a través de HTTP y ejecutar código desde esos archivos zip, lo que podría conllevar a un RCE. • https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes%2C https://hackerone.com/reports/1482520%2C • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30119
https://notcve.org/view.php?id=CVE-2022-30119
XSS in /dashboard/reports/logs/view - old browsers only. When using Internet Explorer with the XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting. • https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes https://hackerone.com/reports/1370054 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-30117
https://notcve.org/view.php?id=CVE-2022-30117
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload to ensure Concrete doesn’t allow traversal and by changing isFullChunkFilePresent to have an early false return when input doesn't match expectations.Concrete CMS Security team ranked this 5.8 with CVSS v3.1 vector AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H. Credit to Siebene for reporting. Concrete versiones 8.5.7 y anteriores, así como Concrete versiones 9.0 hasta 9.0.2, permiten un salto en el archivo /index.php/ccm/system/file/upload, lo que podría resultar en una explotación de eliminación de archivos arbitrarios. Esto fue mitigado al sanear /index.php/ccm/system/file/upload para asegurar que Concrete no permita el salto y cambiando isFullChunkFilePresent para que tenga un retorno falso temprano cuando la entrada no coincida con las expectativas. • https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes https://hackerone.com/reports/1482280 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22954
https://notcve.org/view.php?id=CVE-2021-22954
A cross-site request forgery vulnerability exists in Concrete CMS <v9 that could allow an attacker to make requests on behalf of other users. Se presenta una vulnerabilidad de tipo cross-site request forgery en Concrete CMS versiones anteriores a v9, que podría permitir a un atacante realizar peticiones en nombre de otros usuarios • https://documentation.concretecms.org/developers/introduction/version-history/90-release-notes • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-40101
https://notcve.org/view.php?id=CVE-2021-40101
An issue was discovered in Concrete CMS before 8.5.7. The Dashboard allows a user's password to be changed without a prompt for the current password. Se ha detectado un problema en Concrete CMS versiones anteriores a 8.5.7. El Dashboard permite cambiar la contraseña de un usuario sin que le sea pedida la contraseña actual • https://github.com/S1lkys/CVE-2021-40101 https://documentation.concretecms.org/developers/introduction/version-history/857-release-notes https://hackerone.com/reports/1065577 • CWE-732: Incorrect Permission Assignment for Critical Resource •