Page 9 of 88 results (0.007 seconds)

CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in dashboard/system/express/entities/associations because Concrete CMS allows association with an entity name that doesn’t exist or, if it does exist, contains XSS since it was not properly sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a los Cross-Site Scripting (XSS) en dashboard/system/express/entities/associations porque Concrete CMS permite la asociación con un nombre de entidad que no existe o, si existe, contiene XSS ya que no fue sanitizado adecuadamente. Se corrige actualizando a Concrete CMS 9.1.3+ o 8.5.10+. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 no emite una nueva ID de sesión tras una autenticación OAuth exitosa. Se corrige actualizando a Concrete CMS 9.1.3+ o 8.5.10+. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-384: Session Fixation •

CVSS: 4.8EPSS: 0%CPEs: 2EXPL: 0

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+. Concrete CMS (anteriormente concrete5) anterior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a Cross-Site Scripting (XSS) almacenado en los íconos, ya que el color del mosaico de la aplicación de Microsoft no está sanitizado. Se corrige actualizando a Concrete CMS 9.1.3+ o 8.5.10+. • https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes https://github.com/concretecms/concretecms/releases/8.5.10 https://github.com/concretecms/concretecms/releases/9.1.3 https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

Title for CVE: XSS in /dashboard/system/express/entities/forms/save_control/[GUID]: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 2 with CVSS v3.1 Vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N. Thanks zeroinside for reporting. Título del CVE: Una vulnerabilidad de tipo XSS en /dashboard/system/express/entities/forms/save_control/[GUID]: sólo para navegadores antiguos. • https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes https://hackerone.com/reports/1370054 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0

XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 to allow XSS. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. Concrete CMS Security team ranked this vulnerability 3.1with CVSS v3.1 Vector AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N. Sanitation has been added where built urls are output. • https://documentation.concretecms.org/developers/introduction/version-history/858-release-notes https://documentation.concretecms.org/developers/introduction/version-history/910-release-notes https://hackerone.com/reports/1363598 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •