CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43693
https://notcve.org/view.php?id=CVE-2022-43693
Concrete CMS is vulnerable to CSRF due to the lack of "State" parameter for external Concrete authentication service for users of Concrete who use the "out of the box" core OAuth. Concrete CMS es vulnerable a Cross-Site Request Forgery (CSRF) debido a la falta del parámetro "State" para el servicio de autenticación externo de Concrete para usuarios de Concrete que utilizan el núcleo OAuth "out of the box". • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43694
https://notcve.org/view.php?id=CVE-2022-43694
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output. Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a Reflected XSS en la librería de manipulación de imágenes debido a una salida no sanitizada. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43968
https://notcve.org/view.php?id=CVE-2022-43968
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a XSS reflejado en los íconos del tablero debido a resultados no sanitizados. Se corrige actualizando a Concrete CMS 9.1.3+ o 8.5.10+. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43689
https://notcve.org/view.php?id=CVE-2022-43689
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure. Concrete CMS (anteriormente concrete5) inferior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a solicitudes de DNS basadas en XXE que conducen a la divulgación de IP. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-43692
https://notcve.org/view.php?id=CVE-2022-43692
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS - user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protection. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a Reflected XSS: el usuario puede hacer que un administrador active XSS reflejado con una URL si el administrador objetivo está utilizando un navegador antiguo que carece de protección XSS. Se corrige actualizando a Concrete CMS 9.1.3+ o 8.5.10+. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •