Security Vulnerabilities - CVEs Published In April 2023
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.
CVSS Score
3.3
EPSS Score
0.001
Published
2023-04-28
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.
CVSS Score
5.4
EPSS Score
0.01
Published
2023-04-28
Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.
CVSS Score
6.1
EPSS Score
0.011
Published
2023-04-28
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.
CVSS Score
5.4
EPSS Score
0.01
Published
2023-04-28
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.
CVSS Score
5.5
EPSS Score
0.007
Published
2023-04-28
Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names.
CVSS Score
3.5
EPSS Score
0.018
Published
2023-04-28
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.
CVSS Score
2.0
EPSS Score
0.005
Published
2023-04-28
Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.
CVSS Score
5.3
EPSS Score
0.002
Published
2023-04-28
A vulnerability classified as critical has been found in SourceCodester Online DJ Management System 1.0. Affected is an unknown function of the file admin/events/manage_event.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-227646 is the identifier assigned to this vulnerability.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-04-28
A vulnerability classified as critical was found in SourceCodester Online DJ Management System 1.0. Affected by this vulnerability is an unknown functionality of the file admin/inquiries/view_details.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-227647.
CVSS Score
6.3
EPSS Score
0.001
Published
2023-04-28