Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Concrete CMS < 8.5.6 Multiple Vulnerabilities
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Concrete CMS is prone to multiple vulnerabilities.
Insight
Insight
The following vulnerabilities exist: - CVE-2021-22949: CSRF allows an attacker to duplicate files which can lead to UI inconvenience, and exhaustion of disk space - CVE-2021-22950: CSFR allowing attachments to comments in the conversation section to be deleted - CVE-2021-22953: CSRF allows an attacker to clone topics which can lead to UI inconvenience, and exhaustion of disk space - CVE-2021-40097: Authenticated path traversal leads to remote code execution via uploaded PHP code, related to the bFilename parameter - CVE-2021-40098: Path traversal leading to RCE via external form by adding a regular expression - CVE-2021-40099: Fetching the update json scheme over HTTP leads to remote code execution - CVE-2021-40100: Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text - CVE-2021-40102: Arbitrary File deletion can occur via PHAR deserialization in is_dir - CVE-2021-40103: Path Traversal can lead to arbitrary file reading and SSRF - CVE-2021-40104: SVG sanitizer bypass - CVE-2021-40105: XSS via Markdown Comments - CVE-2021-40106: Unauthenticated stored XSS in blog comments via the website field - CVE-2021-40107: Stored XSS in comment section/FileManger - CVE-2021-40108: CSRF in the calendar - CVE-2021-40109: SSRF
Affected Software
Affected Software
Concrete CMS versions prior to 8.5.6.
Detection Method
Detection Method
Checks if a vulnerable version is present on the target host.
Solution
Solution
Update to version 8.5.6 or later.