Concretecms: >> Concrete Cms >> 8.2.0 Security Vulnerabilities
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.
CVSS Score
7.2
EPSS Score
0.01
Published
2020-07-28
Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value.
CVSS Score
5.3
EPSS Score
0.003
Published
2020-06-22
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page.
CVSS Score
7.2
EPSS Score
0.004
Published
2018-07-09
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers.
CVSS Score
5.3
EPSS Score
0.037
Published
2018-02-26
Page 8