CVE-2022-43689

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XXE based DNS requests leading to IP disclosure.

Concrete CMS (anteriormente concrete5) inferior a 8.5.10 y entre 9.0.0 y 9.1.2 es vulnerable a solicitudes de DNS basadas en XXE que conducen a la divulgación de IP.

*Credits: N/A

CVSS Scores

NISTv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-10-24 CVE Reserved
2022-11-14 CVE Published
2024-06-06 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-611: Improper Restriction of XML External Entity Reference

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://documentation.concretecms.org/developers/introduction/version-history/8510-release-notes	2022-11-17
https://documentation.concretecms.org/developers/introduction/version-history/913-release-notes	2022-11-17
https://github.com/concretecms/concretecms/releases/8.5.10	2022-11-17
https://github.com/concretecms/concretecms/releases/9.1.3	2022-11-17
https://www.concretecms.org/about/project-news/security/concrete-cms-security-advisory-2022-10-31	2022-11-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Concretecms Search vendor "Concretecms"		Concrete Cms Search vendor "Concretecms" for product "Concrete Cms"				< 8.5.10 Search vendor "Concretecms" for product "Concrete Cms" and version " < 8.5.10"		-		Affected
Concretecms Search vendor "Concretecms"		Concrete Cms Search vendor "Concretecms" for product "Concrete Cms"				>= 9.0.0 <= 9.1.2 Search vendor "Concretecms" for product "Concrete Cms" and version " >= 9.0.0 <= 9.1.2"		-		Affected