concrete5/core
Packagist9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting concrete5/corepage 1 of 1
- CVE-2021-22951HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.72021-11-19
vulnerable: 8.2.0 ... 8.5.6RC1 (24 versions)
Unauthorized individuals could view password protected files using view_inline in Concrete CMS (previously concrete 5) prior to version 8.5.7. Concrete CMS now checks to see if a file has a password in view_inline and, if it does, the file…
- CVE-2021-22966HIGHCVSS 8.8EG 8.8✓ Fixed in 8.5.72021-11-19
vulnerable: 8.2.0 ... 8.5.6RC1 (24 versions)
Privilege escalation from Editor to Admin using Groups in Concrete CMS versions 8.5.6 and below. If a group is granted "view" permissions on the bulkupdate page, then users in that group can escalate to being an administrator with a specia…
- CVE-2021-22967HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.72021-11-19
vulnerable: 8.2.0 ... 8.5.6RC1 (24 versions)
In Concrete CMS (formerly concrete 5) below 8.5.7, IDOR Allows Unauthenticated User to Access Restricted Files If Allowed to Add Message to a Conversation.To remediate this, a check was added to verify a user has permissions to view files …
- CVE-2021-22968HIGHCVSS 7.2EG 7.2✓ Fixed in 8.5.72021-11-19
vulnerable: 8.2.0 ... 8.5.6RC1 (24 versions)
A bypass of adding remote files in Concrete CMS (previously concrete5) File Manager leads to remote code execution in Concrete CMS (concrete5) versions 8.5.6 and below.The external file upload feature stages files in the public directory e…
- CVE-2021-22969MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.5.72021-11-19
vulnerable: 8.2.0 ... 8.5.6RC1 (24 versions)
Concrete CMS (formerly concrete5) versions below 8.5.7 has a SSRF mitigation bypass using DNS Rebind attack giving an attacker the ability to fetch cloud IAAS (ex AWS) IAM keys.To fix this Concrete CMS no longer allows downloads from the l…
- CVE-2021-22970HIGHCVSS 7.5EG 7.5✓ Fixed in 8.5.72021-11-19
vulnerable: 8.2.0 ... 8.5.6RC1 (24 versions)
Concrete CMS (formerly concrete5) versions 8.5.6 and below and version 9.0.0 allow local IP importing causing the system to be vulnerable toa. SSRF attacks on the private LAN servers by reading files from the local LAN. An attacker can piv…
- CVE-2022-21829CRITICALCVSS 9.8EG 9.8✓ Fixed in 8.5.82022-06-24
vulnerable: 8.2.0 ... 8.5.7 (25 versions)
Concrete CMS Versions 9.0.0 through 9.0.2 and 8.5.7 and below can download zip files over HTTP and execute code from those zip files which could lead to an RCE. Fixed by enforcing ‘concrete_secure’ instead of ‘concrete’. Concrete n…
- CVE-2022-30117CRITICALCVSS 9.1EG 9.1✓ Fixed in 8.5.82022-06-24
vulnerable: 8.2.0 ... 8.5.7 (25 versions)
Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 allow traversal in /index.php/ccm/system/file/upload which could result in an Arbitrary File Delete exploit. This was remediated by sanitizing /index.php/ccm/system/file/upload…
- CVE-2022-30120MEDIUMCVSS 6.1EG 6.1✓ Fixed in 8.5.82022-06-24
vulnerable: 8.2.0 ... 8.5.7 (25 versions)
XSS in /dashboard/blocks/stacks/view_details/ - old browsers only. When using an older browser with built-in XSS protection disabled, insufficient sanitation where built urls are outputted can be exploited for Concrete 8.5.7 and below as w…
Check whether concrete5/core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for concrete5/core CVEs against the assets you own.
Start Free Scan →