Shodan
Vulnerabilities
Vulnerable Software
Concretecms:  >> Concrete Cms  Security Vulnerabilities
CVE-2023-44766
A Cross Site Scripting (XSS) vulnerability in Concrete CMS v.9.2.1 allows an attacker to execute arbitrary code via a crafted script to the SEO - Extra from Page Settings. NOTE: the vendor disputes this because this SEO-related header change can only be made by an admin, and allowing an admin to place JavaScript there is an intentional customization feature.
CVSS Score
4.8
EPSS Score
0.002
Published
2023-10-06
CVE-2023-28471
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS via a container name.
CVSS Score
5.4
EPSS Score
0.01
Published
2023-04-28
CVE-2023-28472
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 does not have Secure and HTTP only attributes set for ccmPoll cookies.
CVSS Score
5.3
EPSS Score
0.003
Published
2023-04-28
CVE-2023-28473
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to possible Auth bypass in the jobs section.
CVSS Score
3.3
EPSS Score
0.001
Published
2023-04-28
CVE-2023-28474
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Saved Presets on search.
CVSS Score
5.4
EPSS Score
0.01
Published
2023-04-28
CVE-2023-28475
Concrete CMS (previously concrete5) versions 8.5.12 and below, and versions 9.0 through 9.1.3 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.
CVSS Score
6.1
EPSS Score
0.004
Published
2023-04-28
CVE-2023-28476
Concrete CMS (previously concrete5) in versions 9.0 through 9.1.3 is vulnerable to Stored XSS on Tags on uploaded files.
CVSS Score
5.4
EPSS Score
0.01
Published
2023-04-28
CVE-2023-28477
Concrete CMS (previously concrete5) versions 8.5.12 and below, and 9.0 through 9.1.3 is vulnerable to stored XSS on API Integrations via the name parameter.
CVSS Score
5.5
EPSS Score
0.007
Published
2023-04-28
CVE-2023-28819
Concrete CMS (previously concrete5) versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names.
CVSS Score
3.5
EPSS Score
0.014
Published
2023-04-28
CVE-2023-28820
Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.
CVSS Score
2.0
EPSS Score
0.005
Published
2023-04-28


Products
Pricing
Contact Us

Shodan ® - All rights reserved