Shodan
Vulnerabilities
Vulnerable Software
Concretecms:  >> Concrete Cms  Security Vulnerabilities
CVE-2020-24986
Concrete5 up to and including 8.5.2 allows Unrestricted Upload of File with Dangerous Type such as a .php file via File Manager. It is possible to modify site configuration to upload the PHP file and execute arbitrary commands.
CVSS Score
7.2
EPSS Score
0.02
Published
2020-09-04
CVE-2020-11476
Concrete5 before 8.5.3 allows Unrestricted Upload of File with Dangerous Type such as a .phar file.
CVSS Score
7.2
EPSS Score
0.029
Published
2020-07-28
CVE-2020-14961
Concrete5 before 8.5.3 does not constrain the sort direction to a valid asc or desc value.
CVSS Score
5.3
EPSS Score
0.009
Published
2020-06-22
CVE-2011-3183
A Cross-Site Scripting (XSS) vulnerability exists in the rcID parameter in Concrete CMS 5.4.1.1 and earlier.
CVSS Score
6.1
EPSS Score
0.007
Published
2020-01-14
CVE-2018-19146
Concrete5 8.4.3 has XSS because config/concrete.php allows uploads (by administrators) of SVG files that may contain HTML data with a SCRIPT element.
CVSS Score
4.8
EPSS Score
0.01
Published
2019-06-17
CVE-2018-13790
A Server Side Request Forgery (SSRF) vulnerability in tools/files/importers/remote.php in concrete5 8.2.0 can lead to attacks on the local network and mapping of the internal network, because of URL functionality on the File Manager page.
CVSS Score
7.2
EPSS Score
0.01
Published
2018-07-09
CVE-2017-18195
An issue was discovered in tools/conversations/view_ajax.php in Concrete5 before 8.3.0. An unauthenticated user can enumerate comments from all blog posts by POSTing requests to /index.php/tools/required/conversations/view_ajax with incremental 'cnvID' integers.
CVSS Score
5.3
EPSS Score
0.111
Published
2018-02-26
CVE-2015-4721
Multiple cross-site scripting (XSS) vulnerabilities in Concrete5 5.7.3.1.
CVSS Score
6.1
EPSS Score
0.007
Published
2017-09-07
CVE-2015-4724
SQL injection vulnerability in Concrete5 5.7.3.1.
CVSS Score
8.8
EPSS Score
0.008
Published
2017-09-07
CVE-2017-8082
concrete5 8.1.0 has CSRF in Thumbnail Editor in the File Manager, which allows remote attackers to disable the entire installation by merely tricking an admin into viewing a malicious page involving the /tools/required/files/importers/imageeditor?fID=1&imgData= URI. This results in a site-wide denial of service making the site not accessible to any users or any administrators.
CVSS Score
6.5
EPSS Score
0.012
Published
2017-04-24


Products
Pricing
Contact Us

Shodan ® - All rights reserved